apache log poisoning with local file inclusion

So we have our Local File Inclusion vulnerability and we can read the “/etc/passwd” file, now it’s time to start escalating the attack so that we are able to execute our own commands on the target system.

lf1

In the previous post, we found the Apache log files and particularly the Apache “error.log” file using Burp Suite’s Intruder module. We are now going to use this log file to inject our own PHP code into this page.

If we tried to access “http://www.example.com/askjdhaksghfkgf” we should get an Error 404 telling us the the page was not found. Additionally, this should also echo our invalid request into the “error.log” file and we can now clearly see that by requesting anything that generates and error we have the ability to influence the contents of the “error.log” file.

lf2