7.LOG-poisoning
Last updated
Last updated
Key Takeaways:
:**
Injecting malicious code (PHP) into log files.
Leveraging LFI to execute the injected code.
Requires read access to the log files.
Vulnerable Functions:
Functions like include() and require() are vulnerable.
PHP Session Poisoning:
Exploiting PHPSESSID cookies and session files.
Identifying controllable session variables.
Injecting PHP code into the session file.
Including the session file via LFI.
Good explanation of how the session files are named, and located.
Server Log Poisoning:
Targeting access.log files of Apache and Nginx.
Poisoning the User-Agent header.
Including the log file via LFI.
Differences in log file permissions between Apache and Nginx.
Good explanation of the log file locations.
Other Log Poisoning Techniques:
Mentioning other potential log files (e.g., sshd.log, mail, vsftpd.log).
Generalizing the technique to any controllable log parameter.
The /proc/self/environ and /proc/self/fd/N files are also very useful mentions.
Additional Considerations:
Real-World Scenarios:
Attackers often use more sophisticated payloads and techniques.
WAFs and security measures can hinder these attacks.
Log rotation can make these attacks harder to perform.
Security Best Practices:
Proper input validation and sanitization are crucial.
Restricting file inclusion and log file access.
Regularly reviewing and rotating log files.
Principle of least privilege.
Log File Permissions:
Understanding log file permissions is essential for both attackers and defenders.
Properly configuring log file permissions is a critical security measure.
Automation:
Attackers may use scripts to automate log poisoning and LFI exploitation.
Defense in Depth:
Combining multiple security measures is essential.
Intrusion detection and prevention systems can help detect log poisoning attempts.
Log Monitoring:
Monitoring logs for unexpected php code, or other malicious strings is a very good defensive measure.