File Inclusions: Server Log Poisoning

Hello,

Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?

Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.

I had to read the flag via directory traversal… Anyone able to replicate the example 1:1 and receive the flag with this technique?