LinkedInGitHub

Log Poisoning

Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd

Step 1 - Get your cookie session:

  • Open Inspect Element and copy the cookie value:

  • Place on the URL with the following format:

  • The cookie values are successfully read

Step 2 - Write a web shell:

  • URL encode <?php system($GET["cmd"]);?> and place in the URL to write a web shell:

Step 3 - Get the pwd info:

  • Use the web shell with the pwd command:

Try to use a different technique to gain RCE and read the flag at /

Step 1 - Try to read the access.log file:

  • Place /var/log/apache2/access.log on the URL

  • Intercept it with Burp Suite

  • Change the User Agent to a string, to see if its reflected on the log file

  • Change the User-Agent to <?php system($_GET['cmd']); ?> (use single quotes) and append the cmd=id

Step 2 - Get the flag:

  • Look for the flag with cat%20../../../c85ee5082f4c723ace6c0796e3a3db09.txt

And flag found!

PreviousLFI and File UploadsNextAutomated Scanning

Last updated