Tutorial: Local File Inclusion to Command Execution

Some information from this article has been used from the InfoSec InstituteAs you probably know , LFI attack's allow the attackers to view local files on a server but is not limited to that. With LFI we can also get a shell (sometimes) . There is several ways to manage that and here i will focused on Apache logs. If the logs is readable we can inject a php shell in to it.I have uploaded a custom php code for that to metasploitable2 machine.So lets move on .... Here is the prove that LFI exist[clear]We are able to access different files hosted on the server......

---

Now I want to know if Apache logs are readable -Right click --> open image in new tab for enlarged view.[clear]As you can see logs are readable, so we can try an injection.

---

I will use burpsuite as a proxy to intercept the request and try the injection...a nice injection point is the User-Agent.[clear]

---

Also for learning purposes lets ssh the 'victims' box and tail the logs to see what happened in real time.[clear]As we can see are injection seems to happen without a problem.

---

Lets now navigate again to apache logs and see what happend[clear]We can see at the end of the logs we have a system warning:"Cannot execute a blank command in /var/log/apache2/access.log"

---

That means our injection work but it has nothing to execute at this point.What we have to do at this point is to add the '&cmd=' at the end of the link and execute the command we wish.

---

As we already know linux systems comes with netcat pre-installed so lets use that for our advantage and create a reverse shell to our system.[clear]And that's it we have our shell !!!Hope you like it , please add you comments below.