This lab is talking about the insecure deserialization, and while I was solving this lab, I discovered that it has a slightly different solution from the well-known and written solution in the lab, so I decided to write about the two methods so that someone might benefit from any information.
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the
administrator account. Then, delete Carlos.
You can log in to your own account using the following credentials:
Access the lab
- Login with your credentials [ wiener : peter ]
- In Burp, open the post-login
GET /my-accountrequest and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
- Decode it as URL then as base64
- In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
- Update the length of the
- Change the username to
- Change the access token to the integer
0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
- Update the data type label for the access token by replacing
The result should look like this:
- Encode it as base64 first
- Then encode it as url
- Copy this url encoding format and paste it in Cookie (inspector) and refresh the page
- Wow , i got to access admin panel ans have the permission to delete any user.
While solving the lab , i made an error in session format it was an internal server error and the server leaked all tokens which stored in the system.
We know that portswigger labs have three main users ( wiener - carlos - administrator )
The leaked tokens :
$access_tokens = [z95mls52t3l8efgp85tfl1aalg54hyg9, gjv08qeybgi7kisid7dsen67zsdj0vbc, f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh]
Wiener token was : f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh
So , i have another two tokens and one of them maybe related to administrator
- I tried this token : z95mls52t3l8efgp85tfl1aalg54hyg9
- Then i changed the token value as the following format
but it still an internal server error , so the token not related to the administrator user
- I changed token to the last one : gjv08qeybgi7kisid7dsen67zsdj0vbc
It succeeded , now i can access the administrator panel and delete users.
So , i solved the lab.
After browsing admin panel i thought for seconds and tried the last token to access carlos account (account takeover) why not ?
- So, i changed the length of username character from 13 to 6
- I changed the value of username from administrator to carlos as the following format
- I changed the token with the last one.
So , i encoded it as base64 then as url and paste it in cookie
So , i can access carlos account.
In the end, I tried to solve the laptop in all possible ways, and I hope that you have benefited, even with a small information.