File Inclusions: Server Log Poisoning


Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?

Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.

I had to read the flag via directory traversal… Anyone able to replicate the example 1:1 and receive the flag with this technique?

1 Like

Can someone please advise?
It seems to be a 500 error upon adding the <?php system($_GET["cmd"]); ?> in the burp request. After that you cannot read the log file it returns the 500 error and you need to reload the box (get new ip) in order to again see the log file.
Is that a box fault?

Yes, I think the error is related to the characters used in the payload.
I came across the following Ippsec Video for the machine “Poison”:

Try using single quotes for the PHP-Payload!

1 Like

thanks man, that was the error. I used single quotes and managed to find the flag also.