Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?
Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.
I had to read the flag via directory traversal… Anyone able to replicate the example 1:1 and receive the flag with this technique?
Can someone please advise?
It seems to be a 500 error upon adding the <?php system($_GET["cmd"]); ?> in the burp request. After that you cannot read the log file it returns the 500 error and you need to reload the box (get new ip) in order to again see the log file.
Is that a box fault?