File Inclusions: Server Log Poisoning problem 500 error


Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?

Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.

It seems to be a 500 error upon adding the <?php system($_GET["cmd"]); ?> in the burp request. After that you cannot read the log file it returns the 500 error and you need to reload the box (get new ip) in order to again see the log file.
Is that a box fault?

I noticed there was an error thrown in error.log:

PHP Parse error: syntax error, unexpected ‘“cmd\”]); ?>"’

When I changed the web shell ‘cmd’ to single quotes (') then I was able to get RCE.

1 Like

Thanks dude. That really flew over my head.