7.LOG-poisoning
Key Takeaways:
Injecting malicious code (PHP) into log files.
Leveraging LFI to execute the injected code.
Requires read access to the log files.
Vulnerable Functions:
Functions like
include()andrequire()are vulnerable.
PHP Session Poisoning:
Exploiting
PHPSESSIDcookies and session files.Identifying controllable session variables.
Injecting PHP code into the session file.
Including the session file via LFI.
Good explanation of how the session files are named, and located.
Server Log Poisoning:
Targeting
access.logfiles of Apache and Nginx.Poisoning the
User-Agentheader.Including the log file via LFI.
Differences in log file permissions between Apache and Nginx.
Good explanation of the log file locations.
Other Log Poisoning Techniques:
Mentioning other potential log files (e.g.,
sshd.log,mail,vsftpd.log).Generalizing the technique to any controllable log parameter.
The /proc/self/environ and /proc/self/fd/N files are also very useful mentions.
Additional Considerations:
Real-World Scenarios:
Attackers often use more sophisticated payloads and techniques.
WAFs and security measures can hinder these attacks.
Log rotation can make these attacks harder to perform.
Security Best Practices:
Proper input validation and sanitization are crucial.
Restricting file inclusion and log file access.
Regularly reviewing and rotating log files.
Principle of least privilege.
Log File Permissions:
Understanding log file permissions is essential for both attackers and defenders.
Properly configuring log file permissions is a critical security measure.
Automation:
Attackers may use scripts to automate log poisoning and LFI exploitation.
Defense in Depth:
Combining multiple security measures is essential.
Intrusion detection and prevention systems can help detect log poisoning attempts.
Log Monitoring:
Monitoring logs for unexpected php code, or other malicious strings is a very good defensive measure.
Last updated