hey guys:
i find admin panel and LFI vulnerability , i can get /etc/passwd ,but i can not RCE.
I tried to use all the methods I have learned, but I still can’t get RCE, please give me some help, thank you very much!
Log Poisoning is the right way to do this. It doesn’t always work for some reason.
thank you answer,i try to fill User-Agent with rce code,but it not work,
i already try it before,please give me some help, i have stuck for a few days
I have the same issue. When I input the payload into the User-Agent header, the log file breaks and stops logging any input, even non-malicious ones. Is the lab broken perhaps?
Did you try any possible log poisoning solution? Maybe you would get other results with alternative solution… One, for sure doesn’t break…
Problem already solved!
Hi I am also stuck here , can you suggest ?
Este articulo me ayudo a terminarlo, fijate bien. https://ironhackers.es/tutoriales/lfi-to-rce-envenenando-ssh-y-apache-logs/
hi friend
in this question all requests that i send through burpsuite returns 200 ok
but never shows the file content or even the cmd result by that php shell.
i can see that url returns the comment that we make whit the var ?comment=
Can u help me to clarify this (newbie) issues?
tank you
Hey Friend
is to log poison the access.log file like in the session lesson?
i found lot of files in that admin location
according to the lesson we need to put the php webshell and the server need to execute em response the resulting command…
doing like the lesson on access.log are not returning the result in user-agent header
can we do it with another file?
i believe the goal is to exec a command to “ls” the “/” dir to locate the flag so we can access the file through browser. right?
i appreciate some interaction
thanks very much
Hi guys, if the log file breaks try this script, it’s the best one, it’s works perfectly GitHub - nickpupp0/LogPoisoner
4 Likes
Hi, as always I did the skill assessment and want to give some help to “next generations”.
So step-by-step:
-
Find all existing parameters (there are 2, but you need only one)
-
Find how you can read the source code of index.php with this parameter (Tipp: " Source Code Disclosure" Topic)
-
Find some interesting information in the source code
-
Go to the page you just found and again search for vulnerable parameter
-
With this parameter you can use “Log poisoning”.
IMPORTANT NOTE: for log poisoning use this payload:
<?php system($_GET["cmd"]); ?>
Because the one shown in the lesson is old and doesn’t work
3 Likes
thanks a lot
Hello, i followed your steps and read the source code of index.php, found the protection but i’m neither unable to bypass it nor find another page or vulnerable parameter as you say.
I don’t know if the skill assessment was remade or if i’m doing something wrong…
Are you talking about the File Inclusion module of HTB Academy (Penetration Tester Path)?
I also, had all sorts of issues when uploading the php shell. Also, in the lab where it only worked with curl and not not in burp.
2 things to help if you are stuck on final RCE part.
- you have to upload php shell before EVERY command (at least that worked for me). For some reason it stops working after a commend is executed.
- try to use this ‘User-Agent: Mozilla/5.0 <?php system($_GET[\'cmd\']); ?> Safari/537.36’
Again, it worked for me. and stole the idea from the log poisoner tool that was linked in tread.
Happy hacking!
Hey! I’m trying to get a shell but it didn’t work. If I put <?php system($_GET[\'cmd\']); ?> or <?php system($_GET['cmd']); ?> the log will appear blank and I need to restart the lab.
Anyway, if I url encode < or ? (or both) the log doesn’t appear blank but the shell didn’t work. The same happened with curl.
EDIT: Solved. If someone else think the log is broken try to change the quotes
@Gabo
First test the writting to log with e.g. a bunch of BBBBBBBBBBBBBBB to see that you are able to write to the log and see it.
then when poisoning the log don’t expect to SEE the command/code in there but use it in the url with
pathtolog/access.log?cmd=id
for me it worked best with poisoning via curl, read via url in browser but I had to poison again after each command.
Hope it helps.
Thanks you so much mate! your comment saved me with this - for anyone else struggling with this, I also continuously had the log file break when sending my payloads (I also tried multiple different ones) and this is a brilliant solution.
Hi to all who are still struggling!
I finally made it after a million years - little hint: for injection, use something recognizable within the logs! for example ‘BBBBBBBBB <injection_here> BBBBBBBB’ so that you can find it later (the logs are rather big). When you call your web shell, the Output will be right between the two “BBB” sections!
Good luck and don’t give up! 
That payload works great once you encode it.