Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

(Spoiler the solution) Understanding solution to the "Arbitrary object injection in PHP" lab

Luca | Last updated: Mar 24, 2021 03:58PM UTC

Hi all, I'm doing the following lab: - https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php And I have a question (Spoiler): to exploit the PHP deserialization vulnerability, you need to send to the application a PHP serialized object of the class "CustomTemplate". This class has two private members: "lock_file_path" and "template_file_path". The source code of this class can be found at: - http://<url-of-the-lab>/libs/CustomTemplate.php~ an object of this class is serialized as: O:14:"CustomTemplate":2:{s:36:"\0CustomTemplate\0template_file_path";s:23:"/home/carlos/morale.txt";s:32:"\0CustomTemplate\0lock_file_path";s:23:"/home/carlos/morale.txt";} However, by sending this object the lab doesn't get solved. After many attempts I read the solution that says that the object to be sent is: O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";} Notice the differences? the solution object has only one member, lock_file_path. Also the member is not private. Why this solution works? Thanks

Hannah, PortSwigger Agent | Last updated: Mar 26, 2021 11:56AM UTC

Thanks for your query. Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire user-base by focussing on expanding and refining our public content.

Your post will stay up on the forum for a member of the community to reply.

The learning material for this subject can be found here

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.