LFI AND HIS TWINS

# LFI, LOG POISONING AND RCE I was playing around something, and I managed find LFI,so once I finished to exploiting it and later on I came up with an idea that what else can I do from LFI???, and a bunch of stuffs popup into my head one of them is remote code excution via LFI by poisoning logs. ## EXPLOITING LFI(local file inclusion) Let's start from how I got LFI and how We can poison logs. ![image](https://hackmd.io/_uploads/HJ5Gb-bvxx.png) After checking the request and response I came up with an idea of first trying to access browser.php endpoint and see what it offers. ![image](https://hackmd.io/_uploads/BywiG-ZPex.png) And from the above I managed to access the phpinfo.php file which is good on our side later on I started fuzzing and finding a way to bypass ![image](https://hackmd.io/_uploads/B1aY7Zbvee.png) Now we have managed to exploit LFI but what next after here, probably there is alot of options to check but one among them is trying log poisoning. ## INITIATING MAGICS Now we have already know that there is LFI a quick place where we can try to inject and try with log poisoning is via User-Agent on request headers. ![image](https://hackmd.io/_uploads/Sk2kPZZPgg.png) Now from here we can try to craft a simple malicious code that is using `system()`, but sometimes in case if `system()` is not working the other way to find it out its by finding the `phpinfo.php` from here we can find which function is being disabled and which function is not, checking this file is very essential so as to make assurance of what were trying to do and avoid throwing a bunch of useless payloads. ![image](https://hackmd.io/_uploads/BkmcdZbDee.png) Now we have tried to inject our code but were not sure it's working to be sure of what were trying to do we can try to use LFI we got earlier and try to see if our code have been injected or not. Since because the system is using apache serice we need to find the right apache log config file unless we won't be able to know if our testing worked, so here my main aim was first to trigger error and find the right apache version and it's location. ![image](https://hackmd.io/_uploads/HJjy9WZPge.png) From the above image is that we were able to trigger error although also I was able to bypass that error again later by encoding my payloads, but i was just aiming on getting error which I managed to get them. Am not a developer but atleast i have this basics, what you can see above is that presence of include() which means it return error when something goes wrong meantime excution proceed. Let's examine the error and what we need, From the error above we can see that were dealing with `/usr/local/www/apache24/` which one among the possible way the logs may be located is here `/var/log/httpd-access.log`. ![image](https://hackmd.io/_uploads/rkMJx3-WPlg.png) We can see the logs now let's try to call the malicious code we injected on the logs and try to run any system command, incase if the command may not work we might need to try again to inject the code. ![image](https://hackmd.io/_uploads/r1-BpbWPlx.png) Now we can see that the output of `id` command are on the logs which means that what we have tried to injecte works very well, which means we can run any command as follows. ![image](https://hackmd.io/_uploads/r1g10ZZPxx.png) Now from here i tried to get a shell, so as i can have a good environment to work on. ![image](https://hackmd.io/_uploads/Hk5EJzbDex.png)