Web Server Exploitation with SSH Log Poisoning through Lfi

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack first you need to read my previous article which will help you to create local file inclusion vulnerability manually.

Attacker: Kali Linux
Target: Metasploitable 2

Open terminal in your kali Linux and connect the target using SSH service

From screenshot you can see I am connected with target PC, now type following command to check the permission for auth.log file
Ls –l /var/log/auth.log


Now if you notice the given screenshot again you will find that the highlighted text is showing read write permission had been given to auth.log file.


Since we know that the auth.log file has read permission therefore type following command to view its logs.
Tail –f /var/log/auth.log

The highlighted text is showing the log for the valid user msfadmin.


Now open another terminal in kali where I will try to connect with web server using fake user name and then confirm whether any log is generated inside auth.log file for invalid user or not.

Ssh hacker@192.168.1.105


When you move back to your previous terminal you find it has created a log for invalid user hacker which you can also check in the given screenshot.


Hence it is confirm that auth.log file generates log for every failed and pass login when we try to connect with web server. Taking advantage of this feature now I will send PHP code as fake user and it will get added automatically in auth.log file as new log.

Ssh ’@192.168.1.105


Again when you check its log, you will find the PHP code has been added as new log.


Since I have already created LFI vulnerability manually inside the web server, so if you want to create LFI vulnerability view above link of previous article.
In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now include the auth.log file as file parameter and give following URL inside browser.
192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

From screenshot you can read the warning cannot execute blank command, it means our PHP code which was containing CMD comment is successfully injected now only we need to send any command as parameter



192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps

Here it will dump the data of auth log as well as execute comment given through cmd. From screenshot you can view both log as well as process state.


In same way execute pwd through cmd and view the result from inside the given screenshot.

0 comments:

Post a Comment