Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

(Spoiler the solution) Understanding solution to the "Arbitrary object injection in PHP" lab

Luca | Last updated: Mar 24, 2021 03:58PM UTC

Hi all, I'm doing the following lab: - https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php And I have a question (Spoiler): to exploit the PHP deserialization vulnerability, you need to send to the application a PHP serialized object of the class "CustomTemplate". This class has two private members: "lock_file_path" and "template_file_path". The source code of this class can be found at: - http://<url-of-the-lab>/libs/CustomTemplate.php~ an object of this class is serialized as: O:14:"CustomTemplate":2:{s:36:"\0CustomTemplate\0template_file_path";s:23:"/home/carlos/morale.txt";s:32:"\0CustomTemplate\0lock_file_path";s:23:"/home/carlos/morale.txt";} However, by sending this object the lab doesn't get solved. After many attempts I read the solution that says that the object to be sent is: O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";} Notice the differences? the solution object has only one member, lock_file_path. Also the member is not private. Why this solution works? Thanks

Hannah, PortSwigger Agent | Last updated: Mar 26, 2021 11:56AM UTC