Hello,
Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?
Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.
It seems to be a 500 error upon adding the <?php system($_GET["cmd"]); ?> in the burp request. After that you cannot read the log file it returns the 500 error and you need to reload the box (get new ip) in order to again see the log file.
Is that a box fault?
