18.2 Modifying Serialized Data Types
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete the user carlos. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj
2 min read 3 days ago
Description
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator
account. Then, delete the user carlos
.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Log in using your own credentials. In Burp, open the post-login
GET /my-account
request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater. - In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
- Update the length of the
username
attribute to13,
change the username toadministrator
and Change the access token to the integer0
. As this is no longer a string, you also need to remove the double-quotes surrounding the value. - Update the data type label for the access token by replacing
s
withi
. - The result should look like this:
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
- Click “Apply changes”. The modified object will automatically be re-encoded and updated in the request.
- Send the request. Notice that the response now contains a link to the admin panel at
/admin
, indicating that you have successfully accessed the page as theadministrator
user. - Change the path of your request to
/admin
and resend it. Notice that the/admin
page contains links to delete specific user accounts. - Change the path of your request to
/admin/delete?username=carlos
and send the request to solve the lab.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng