Apache log Poisining

-

Apache log Poisining :


This turorial is valid if an admin have done bad coding in php to get file ( the vulnerability is in LFI (local file inclusion)) and the poising the access.log file of apache

Let's Breach the machine :

The victim machine is ubuntu: 192.168.1.6

           From victim computer as index.php seems grep the file and include in the browser



The index.php is in the /var/www/html and the apache service is running and give the permission of 775 with -R to /var/log/apache2 file



In the attacker computer : as i use parrot os 

 See the log file of  http://192.168.1.6/?file=/etc/var/apache2/access.log 
The result will be





 we see the access.log file from apache folder which is obiviously  a LFI vulnerability and if we  see this type of vulnerabiltity then we can get the remote code execution using below technique


Let's intercept the traffic in Burp and we can see the intercepting traffic in below image and change the user agents like below



Now again access the http://192.168.1.6/?file=/etc/var/apache2/access.log 
you can see the the hello this is me in the log file of apache.So, here we are confirms that
the log poising works using LFI vulnerability
Test for Remote code execution from the browser.
Let's start: 
     Fire up the msfconsole  and use exploit/multi/script/web_delivery 
    

Now run the php script in the browser as shown in below picture
and the meterpreter reverse_tcp will be open



Boom, we got the shell


Happy Hacking

Comments

Post a Comment

Popular posts from this blog

Wordpress Reverse Shell

-
Image
Wordpress Reverse Shell This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our windows 7 machine. Table of Content 1) Metasploit Framework 3) Upload PHP reverse shell 4) Getting reverse shell connection Requirement: Host machine: WordPress Attacker machine: Kali Linux WordPress Credential: admin: password Let's begin 1) 1st Method  The site which we are going to test is: i login into the wordpress admin Now i check upload the reverse shell (PHP) using metasploit BOOOOOOM : I got the interactive shell of windows 7 machine Let's breach in another way 2) 2nd Method I have already done login into wordpress using admin and password So, Create a PHP code file using msfvenom Now Go to the Apprereance -> Theme editor -> 404.php templetes past a php code ...
Read more

EVM: 1 Vulnhub Walkthrough

-
Image
Penetration Methodologies: Finding IP Nmap Enumeration Browsing HTTP Service Directory Bruteforce using dirb Enumeration Using WPScan Password Bruteforce using WPScan Getting Login Credentials Exploitation Exploiting using Metasploit  Getting a reverse connection  Spawning a TTY Shell  Enumeration for Root Credentials Privilege Escalation  Getting Login Credentials Logging in as root Reading the Final Flag Let's Breach:     First of all finding IP for the machine i use bridge connection.The IP of machine was 192.168.1.5 I quickly nmap the website found 80 open Then i browse the server and found that apache default page and phpinfo() Nothing interesting then i bruteforce the directory you can use gobuster and nikto also While scan is complete i found a wordpress directory that leads me to an another website Then i quickly browse the http://192.168.1.5/wordpress then i found the page d...
Read more

Chanakya Vulnhub Walkthrough

-
Image
It was the box where you have to have knowledge about using Nmap , dirb or nitko or gobuster ,ftp, ssh and metasploit .In this box we analyze the ftp connection using wireshark and got credentials and after that we gain access shell using ssh and exploit root permission using metasploit. Breaching Process  Finding IP Nmap Enumeration Nmap Deep scan Browsing HTTP service Enumerating directory ftp login Exploitation Generating ssh authorize key Gaining access to shell (ashoka) Reading chrootkit logs (using metasploit) Privilege Escalation chkrootkit Let's Breach  Using nmap we scan the network ip in our network nmap -sn  ip_range (use root permission to scan ) After sanning there are only five ip that was not hard for me to find we are using NAT in virtualbox after finding the ip we go for Enumeration (this is the phase where you have to see every single piece of information) Browsing the ip we get ...
Read more