Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Modifying serialized data types

Wolfie | Last updated: Aug 07, 2020 05:21AM UTC

I have a problem with this perticular lab. I've followed the solution as well and still cannot access the admin account. I have a firefox web browser. Pasted in this in the cookies by pressing F12 Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjEzOiJhZG1pbmlzdHJhdG9yIjtzOjEyOiJhY2Nlc3NfdG9rZW4iO2k6MDt9 and upated the page but end up with a "Internal Server Error PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7" What is it that i'm doing wrong? I have also done it through burp but still the same error message. Thank you in advance! c:

Uthman, PortSwigger Agent | Last updated: Aug 07, 2020 11:50AM UTC

Are you following the instructions in the solution? Have you considered looking at a video tutorial? - https://www.youtube.com/watch?v=l7KCL7vY98k

bigb0ss | Last updated: Aug 15, 2020 05:01PM UTC

Hi There, So I had the same issue and following the instructions from the video suggested by Uthman still did not solve the lab. But I found the way to solve this by specifying the `/admin/delete?username=carlos` in your GET request + supplying the modified cookie value. Hope this helps. :)

susheelps | Last updated: Aug 19, 2020 02:39PM UTC

I am facing the same issue. Setting the right cookie gives the error "PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7" The /admin/delete?username=carlos trick dosen't work for me. Still getting the same error.

atomman | Last updated: Aug 21, 2020 03:28AM UTC

I am facing same issue. (Using Chrome). and the trick by @bigb0ss doesn't work for me too!!

Hannah, PortSwigger Agent | Last updated: Aug 21, 2020 02:46PM UTC

We'll look into this further and get back to you with the results.

Hannah, PortSwigger Agent | Last updated: Aug 25, 2020 07:47AM UTC

Could you retry the lab? I've just tested it and it is now functioning as expected.

deamon | Last updated: Sep 09, 2020 06:50PM UTC

Hey, Im facing the same issue as mentioned by the other people above. This error has not seemed to be resolved yet

Hannah, PortSwigger Agent | Last updated: Sep 10, 2020 06:58AM UTC

I've just retested the lab and there is no issue present.

LOKE, | Last updated: Sep 24, 2020 07:03AM UTC

Facing the same error as previous user. (Followed both the video tutorial by Michael Sommer and answer guide) Internal Server Error PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Can anyone help me?

LOKE, | Last updated: Sep 24, 2020 07:03AM UTC

Facing the same error as previous user. (Followed both the video tutorial by Michael Sommer and answer guide) Internal Server Error PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Can anyone help me?

Hannah, PortSwigger Agent | Last updated: Sep 24, 2020 07:13AM UTC

I've just tested the "Modifying serialized data types" and have not had an issue completing the lab. Could you please retry?

ted | Last updated: Sep 24, 2020 11:49AM UTC

i have the same problem

Hannah, PortSwigger Agent | Last updated: Sep 24, 2020 01:42PM UTC

Hi Ted, could you retry, please? We are looking into what is causing this behavior and hope to have a fix in place soon.

Fabio | Last updated: Feb 22, 2021 01:29AM UTC

i have the same problem

Fabio | Last updated: Feb 22, 2021 01:30AM UTC

my mistake

Fabio | Last updated: Feb 22, 2021 01:33AM UTC

%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%45%7a%4f%69%4a%68%5a%47%31%70%62%6d%6c%7a%64%48%4a%68%64%47%39%79%49%6a%74%7a%4f%6a%45%79%4f%69%4a%68%59%32%4e%6c%63%33%4e%66%64%47%39%72%5a%57%34%69%4f%32%6b%36%4d%44%74%39 Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www/index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 ??

Hannah, PortSwigger Agent | Last updated: Feb 22, 2021 12:34PM UTC

Hi Fabio Is this still for the lab "Modifying serialized data types"? I've just tested that lab, and it is working as expected.

Will | Last updated: Feb 27, 2021 08:17PM UTC

I had the same problem as Fabio. Not sure why but after URL decoding and base64 decoding the cookie there are some extract characters that are not what is syntactically expected to close the serialized object (for me, the encoded unexpected characters where 'O30%253d'). You can edit the decoded text to include the expected syntax and then re-encode it to complete the lab.

Will | Last updated: Feb 27, 2021 10:05PM UTC

Update on my last post for anyone struggling with this: the cookie just needs to be URL-decoded twice.

Richard | Last updated: May 07, 2021 12:43PM UTC

I was also facing the same problem. BUT, something worked to me and I don't know the reason why. I decoded the cookie in this sequence: 2x URL + 1x base64, and then I modified the session cookie then encoded it with the reverse sequence: 1x base64 + 2x URL. It didn't work. It gave me this error: Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www/index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 Then, what I did is: I added the URL in my browser (Firefox) with \admin and then enter the modified session cookie from the encoded sequence: 1x base64 + 1x URL (see only once). Then I solved the issue. I would be happy if somebody can explain why.

Bugfaztaz | Last updated: Aug 21, 2022 06:13PM UTC

I have the same problem with the lab "Lab: Modifying serialized objects" PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www/index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 echo "O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}" | base64 Tzo0OlVzZXI6Mjp7czo4OnVzZXJuYW1lO3M6Njp3aWVuZXI7czo1OmFkbWluO2I6MTt9Cg==

Hannah, PortSwigger Agent | Last updated: Aug 22, 2022 09:15AM UTC

Hi Are you following the instructions in the solution and using the Inspector panel to handle your decoding and encoding?

nimanoia | Last updated: Jul 19, 2023 11:43AM UTC

i know this might be a bit late but i found what was the problem for me. when decoding the cookie the returned value would be "O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0O30%3d" and just changing the b to 1 was not enough and the encoded value would be an invalid cookie so by changing it to "O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}" then encoding solved the problem for me i dont know what caused the last part of the cookie to not get decoded correctly

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.