RCE via LFI Log Poisoning

Aditya Chauhan
2 min readFeb 15, 2023

Remote Code Execution (RCE) is a type of vulnerability that allows attackers to execute arbitrary code on a remote system. RCE vulnerabilities are particularly dangerous because they allow attackers to take full control of the target system. One way attackers can exploit an RCE vulnerability is by leveraging Log Poisoning via Local File Inclusion (LFI). In this blog, we will explain how RCE via LFI Log Poisoning works and provide an example.

Local File Inclusion (LFI) is a type of vulnerability that allows attackers to include local files on a web server into a web page. When an application is vulnerable to LFI, attackers can use it to read files on the web server. Log Poisoning is a technique that involves manipulating the logs of an application to execute arbitrary code.

Here is an example of how RCE via LFI Log Poisoning can be exploited:

Suppose an application has a vulnerable PHP code that includes a log file using a user-controlled parameter. The code looks something like this:

<?php
$log_file = $_GET['log_file'];
include($log_file);
?>

In this code, the log file is included using the user-controlled parameter $log_file. An attacker can exploit this vulnerability by passing a malicious log file that contains PHP code. Here's an example of a malicious log file:

<?php
system($_GET['cmd']);
?>

When the attacker passes this log file as a parameter, the application includes it and executes the PHP code in the log file. The system function in the log file allows the attacker to execute arbitrary commands on the web server.

To execute commands on the web server, the attacker can pass the following URL:

http://example.com/index.php?log_file=/var/log/apache2/access.log&cmd=id

In this example, the attacker is passing /var/log/apache2/access.log as the $log_file parameter and id as the cmd parameter. The application includes the log file and executes the id command, which returns the user ID of the process that executed the command.

This example demonstrates how attackers can exploit an RCE vulnerability via LFI Log Poisoning. To prevent such attacks, developers should ensure that user-controlled parameters are properly validated and sanitized. It is also important to ensure that logs are properly managed and protected to prevent attackers from manipulating them. Regularly reviewing and auditing logs can help detect and prevent such attacks.

In conclusion, RCE via LFI Log Poisoning is a dangerous vulnerability that can allow attackers to take full control of a web server. It is important for developers to be aware of this vulnerability and take appropriate measures to prevent it. Regularly auditing and reviewing application logs can help detect and prevent such attacks.

#PenetrationTesting #EthicalHacking #Cybersecurity #VulnerabilityAssessment #WebApplicationSecurity #NetworkSecurity #InformationSecurity #RedTeam #BlueTeam #SecurityTesting #BugBounty #SecurityAssessment #Hacker #Exploit #Payload #Pentest #DigitalForensics #SecureCoding #OWASP #Nmap

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher