Using application functionality to exploit insecure deserialisation

Description

This lab uses a serialisation-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialised object.

Reproduction

  1. Log in to wiener:peter. On the My account page, there is an option to delete the account by sending a POST request to /my-account/delete.

  2. Intercept the request.

  3. Study the session cookie using the Inspector panel. The serialised object has an avatar_link attribute, which contains the file path to your avatar.

  4. Edit the serialised data so that the avatar_link points to /home/carlos/morale.txt. Update the length indicator. The modified attribute looks like this:

s:11:"avatar_link";s:23:"/home/carlos/morale.txt"

  1. Click Apply changes. The modified object will automatically be re-encoded and updated in the request.

  2. Forward the request. Your account will be deleted, along with Carlos’s morale.txt file.

PoC

Exploitability

An attacker will need to log in to wiener:peter; edit the serialised object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.