Lesser Known Web Attack Lab is for intermediate pentester that can test and practice lesser known web attacks such as Object Injection, XSSI, PHAR Deserialization, variables variable ..etc. Write-ups are welcome. My own walk-through is here .
Just clone the git with
git clone https://github.com/weev3/LKWA and move it to your web server and you are good to go.
- For XSSI, challenge you need to change Allow Override None to Allow Override ALL in apache2.conf file.
- For PHAR Deserialization, you need to change phar.readonly = On to phar.readonly = Off in php.ini setting.
Installation - Docker
docker-compose up inside the Docker folder and open the browser on http://localhost:3000.
- Blind RCE
- PHAR Deserialization
- PHP Object Injection
- PHP Object Injection via Cookies
- PHP Object Injection (Object Reference)
- Variables variable
- Edoardo Rosa (@edoz90)