File Inclusions: Server Log Poisoning

Hello,

Was someone able to successfully replicate the example for Server Log Poisoning using the rendered /var/log/apache2/access.log file and injecting a PHP shell via User Agent Header?

Trying this in Burp Repeater, the server stalls with a 500 error after submitting more than one request with parameter /index.php?language=/var/log/apache2/access.log. No chance to get RCE with a subsequent &cmd=id appended.

I had to read the flag via directory traversal… Anyone able to replicate the example 1:1 and receive the flag with this technique?

1 Like

Can someone please advise?
It seems to be a 500 error upon adding the <?php system($_GET["cmd"]); ?> in the burp request. After that you cannot read the log file it returns the 500 error and you need to reload the box (get new ip) in order to again see the log file.
Is that a box fault?

Yes, I think the error is related to the characters used in the payload.
I came across the following Ippsec Video for the machine “Poison”:

https://youtube.com/watch?v=rs4zEwONzzk&t=2570

Try using single quotes for the PHP-Payload!

1 Like

thanks man, that was the error. I used single quotes and managed to find the flag also.

Thanks for the ippsec link (even to the appropriate section :grinning:)

Yes, glad to help!
It was great to find a proper explanation for that issue.

thx man luv u

2 years on and this gift keeps on giving! Thank you!