Ready to Start Your Career?
Create Free Account
By: Chilico
September 2, 2016
Tutorial: Local File Inclusion to Command Execution
September 2, 2016
By: Chilico
September 2, 2016
Some information from this article has been used from the InfoSec InstituteAs you probably know , LFI attack's allow the attackers to view local files on a server but is not limited to that. With LFI we can also get a shell (sometimes) . There is several ways to manage that and here i will focused on Apache logs. If the logs is readable we can inject a php shell in to it.I have uploaded a custom php code for that to metasploitable2 machine.So lets move on .... Here is the prove that LFI exist
[clear]We are able to access different files hosted on the server......Now I want to know if Apache logs are readable -
Right click --> open image in new tab for enlarged view.[clear]As you can see logs are readable, so we can try an injection.I will use burpsuite as a proxy to intercept the request and try the injection...a nice injection point is the User-Agent.
[clear]Also for learning purposes lets ssh the 'victims' box and tail the logs to see what happened in real time.
[clear]As we can see are injection seems to happen without a problem.Lets now navigate again to apache logs and see what happend
[clear]We can see at the end of the logs we have a system warning:"Cannot execute a blank command in /var/log/apache2/access.log"That means our injection work but it has nothing to execute at this point.What we have to do at this point is to add the '&cmd=' at the end of the link and execute the command we wish.
As we already know linux systems comes with netcat pre-installed so lets use that for our advantage and create a reverse shell to our system.
[clear]And that's it we have our shell !!!Hope you like it , please add you comments below.