18.4 Lab: Arbitrary object injection in PHP

This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos’s home directory. You will need to obtain source code access to solve this lab | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJul 2, 2024

Description

This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos's home directory. You will need to obtain source code access to solve this lab.

You can log in to your own account using the following credentials: wiener:peter

Solution

  1. Log in to your own account and notice the session cookie contains a serialized PHP object.
  2. Go to site map in Target tab, notice that the website references the file /libs/CustomTemplate.php. Right-click on the file and select "Send to Repeater".
  3. In Burp Repeater, notice that you can read the source code by appending a tilde (~) to the filename in the request line.
  4. In the source code, notice the CustomTemplate class contains the __destruct() magic method. This will invoke the unlink() method on the lock_file_path attribute, which will delete the file on this path.
  5. In Burp Decoder, use the correct syntax for serialized PHP data to create a CustomTemplate object with the lock_file_path attribute set to /home/carlos/morale.txt. Make sure to use the correct data type labels and length indicators. The final object should look like this:
    O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
  6. Send /my-account request to repeater, select the cookie and paste the above object in Decode panel in the right side.
  7. Click Apply changes and send the request. The __destruct() magic method is automatically invoked and will delete Carlos's file.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer