In order to exploit Log Poisoning, it is necessary to have an LFI in order to be able to view the log files belonging to the possible web applications running on the victim server.

The most common applications are nginx and apache2 and their default log paths are the following:

Apache2: /var/log/apache2/access.log Apache2: /var/log/httpd-access.log Nginx: /var/log/nginx/access

Additionally, we can also take advantage of the SSH protocol logs, present in the path:

ssh: /var/log/auth.log

Once access to one of these files has been identified, Log Poisoning can be performed. But, what does it consist of?

The idea of this type of attack is to manage to manipulate the record that will be inserted into the log file when interacting with the web application. It is known that every time we access a website, a record of our access is inserted into the file. An example of a traditional log would be:

192.168.47.47 — — [12/Dec/2023 20:18:41] "GET / HTTP/1.1" 200 — -

The purpose of modifying this register is to be able to inject PHP code on the Logs file, since, at the moment of consulting the file we are not going to read in plain text the injected code, but this code will be interpreted by the victim server and will execute any of the operations programmed by us. The most common case is to perform a Reverse Shell to our system, thus gaining unauthorized access to the victim system.

How to manipulate the log file?

In order to achieve this, it is necessary to have a Proxy Server installed on our side, BurpSuite will always be the answer to this need.

Burpsuite will allow us to modify the headers of our request before being sent to the victim server. To perform Log Poisoning the most common is to manipulate the User-Agent header, where our PHP code will be inserted.

Here are a couple of examples of PHP code which will allow us to execute system level commands on the victim server.

Log Poisoning to SSH: 'ssh '<?php system("whoami"); ?>'@<IP_or_victim_domain_name>.

*This example simply executes the "whoami" command on the victim system so, when querying the SSH logs, the name of the user running the web service will be reported on the screen.

Log Poisoning Apache2 >>>headers={'User-Agent':"<?php system($_REQUEST['cmd']);}

In this second example, we define a parameterized variable to which we can send any command to be executed on the victim system. This is commonly called a web-shell.

Once a web shell is obtained, the possibilities of operation are endless since we now have Remote Command Execution capabilities, the most common is to try to obtain a Reverse Shell.

Next Chapter: Reverse Shells.