18.1 Lab: Modifying serialized objects | 2023
This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain admin privileges to delete the user carlos | Karthikeyan Nagaraj
2 min readNov 1, 2023
Description
This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Log in using your own credentials. Notice that the post-login
GET /my-account
request contains a session cookie that appears to be URL and Base64-encoded. - Use Burp’s Inspector panel to study the request in its decoded form. Notice that the cookie is in fact a serialized PHP object. The
admin
attribute containsb:0
, indicating the boolean valuefalse
. Send this request to Burp Repeater. - In Burp Repeater, use the Inspector to examine the cookie again and change the value of the
admin
attribute tob:1
. Click "Apply changes". The modified object will automatically be re-encoded and updated in the request. - Send the request. Notice that the response now contains a link to the admin panel at
/admin
, indicating that you have accessed the page with admin privileges. - Now again capture the My-account request and change the cookie value which we modified
- Click on the Delete user carlos link and again do the same process to solve the lab
If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials