Exploit Webserver through Log Injection with LFI

Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux
Target: Metasploitable 2

Connect the target using SSH  service as shown below in the following image

Now login with user as “sudo” and create a folder “lfi” inside /var/www
cd /var/www

mkdir lfi


Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

   $file = $_GET['file'];
   if(isset($file))
   {
       include("$file");
   }
   else
   {
       include("index.php");
   }
   ?>
Now I have saved above PHP code inside a text file as lfi.php and share this file.


In order to download lfi.PHP inside the lfi directory type following command


Now let’s browse following URL: 192.168.1.8/lfi/lfi.php
In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.


Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.


Now include the acess.log file as file parameter and give following URL inside browser.
192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log
Now turn on burp suite to capture the request of same web page


Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.



Add cmd comment inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps as shown in the below image. Then click on forward.


Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.


In same manner execute lsb_release –a through cmd and view the result from inside the given screenshot.

0 comments:

Post a Comment