
For the Level Four challenge, there are two sources: here and here.
Only the PHP code is shown here because the HTML is not important.
source1.php
| |
source2.php
| |
The source2.php helps to connect to the database (database.db) and contains all functions that execute and receive queries,
and the source1.php file contains a part that receives user input and sends a request using a function in source2.php.
The function that takes our attention is the __destruct() function which is known to be a special magic function called when an object is destroyed.
It is also known to lead to insecure deserialization.
So first, it’s important to understand what the code is doing and how it works.

- It checks if the input is an integer first and displays the username associated with this
id - When we connect to websec.fr a cookie is created, its name is
leet_hax0rand your IP address is checked before allowing you to use the app.
| |
the YToxOntzOjI6ImlwIjtzOjE1OiIxMzcuMjU1LjEyNy4xMjkiO30%3D is encoded to base64, after decoding we have
| |
this is the format of serialized data, let’s break down it.

We have an ip address in deserialized data and it checked here :
| |
Now about a term used in image :
- SQL
Objectwas choosen because__destruct()method in SQL class use the variable$queryto build the SQL query. By change this value in serialized data the Attacker can force the app to run a arbitrary SQL query . connrepresent database connexion andNis her value because by setting it have aNULLvalue .
I personally wrote a serialized payload using the default serialized data provided by the app:
a:2:{s:2:"ip";s:15:"137.255.127.129";s:7:"exploit";O:3:"SQL":1:{s:5:"query";s:39:"SELECT password AS username FROM users;";s:4:"conn";N;}}
but for bypass the check of ip address like show in previous image we can use this :
O:3:"SQL":1:{s:5:"query";s:39:"SELECT password AS username FROM users;";s:4:"conn";N;}
So let’s go for exploitation:
| |
and we got the flag.
Flag : WEBSEC{9abd8e8247cbe62641ff662e8fbb662769c08500}
The final image exploitation was here :








































































































































































