
Some information from this article has been used from the
InfoSec InstituteAs you probably know , LFI attack's allow the attackers to view local files on a server but is not limited to that. With LFI we can also get a shell (sometimes) . There is several ways to manage that and here i will focused on Apache logs. If the logs is readable we can inject a php shell in to it.I have uploaded a custom php code for that to metasploitable2 machine.So lets move on ....
Here is the prove that LFI exist

[clear]We are able to access different files hosted on the server......
Now I want to know if Apache logs are readable -
Right click --> open image in new tab for enlarged view.[clear]As you can see logs are readable, so we can try an injection.
I will use burpsuite as a proxy to intercept the request and try the injection...a nice injection point is the User-Agent.
[clear]
Also for learning purposes lets ssh the 'victims' box and tail the logs to see what happened in real time.

[clear]As we can see are injection seems to happen without a problem.
Lets now navigate again to apache logs and see what happend

[clear]We can see at the end of the logs we have a system warning:"Cannot execute a blank command in /var/log/apache2/access.log"
That means our injection work but it has nothing to execute at this point.What we have to do at this point is to add the '&cmd=' at the end of the link and execute the command we wish.

As we already know linux systems comes with netcat pre-installed so lets use that for our advantage and create a reverse shell to our system.

[clear]And that's it we have our shell !!!Hope you like it , please add you comments below.