Log Poisoning Attack (LFI to RCE via Log files)
Introduction
It is a technique used to gain remote command execution on the webserver. The attacker needs to include a malicious payload into services log files such as Apache, SSH, etc. Then, the LFI vulnerability is used to request the page that includes the malicious payload. Exploiting this kind of attack depends on various factors, including the design of the web application and server configurations. Thus, it requires enumerations, analysis, and an understanding of how the web application works. For example, a user can include a malicious payload into an apache log file via User-Agent or other HTTP headers. In SSH, the user can inject a malicious payload in the username section.
SSH (/var/log/auth.log
) Exploitation
/var/log/auth.log
) ExploitationAnother tricky way to include malicious code into the logs is by using the SSH logs. These logs are most commonly located under /var/log/auth.log
. Whenever we attempt to connect an SSH server, this attempt is logged under the file we mentioned.
If the file is readable we can run something like this:
Then, we can go back to you web application and attempt to include the /var/log/auth.log file. If the file is readable, we will be able to perform run commands via the &cmd=
parameter and use this to gain a shell!
Last updated