Hello readers, in this tutorial we will show you how we can perform ssh log Poisoning through local file inclusion vulnerability. But before start this we want to express important things about this attack.

What is Local File Inclusion ?

LFI ( Local File Inclusion ) is the type of web vulnerability that is commonly found in web application which can make a deep impact on web application. This vulnerability can lead many types of attacks such as :

  • Remote Code Execution (RCE)
  • Cross-site Scripting (XSS)
  • DDos Attack
  • Arbitrary Command Injection

Can Log Poisoning Possible Through LFI ?

Absolutely ! we can perform log poisoning through lfi vulnerability but with the help of some important factors such as :

  • Some ports must be enabled on the web server such as telnet ssh apache etc.
  • Error or log files must have special permissions.

Note : If special permissions has not be given on those files then you cannot take the meterpreter session of web server.

Requirements

Kali Linux = Attacker
Ubuntu = Victim

Now lets get started !! 🙂

Login in Ubuntu as “root” and create a directory on the given location.

Now we will insert the given configuration into the lfi.php file which will allow the user to include a file via a file parameter.

Start the apache server using the following command.

Now our server is vulnerable from lfi, Hence we can execute the system level commands on browser.

SSH Log Poisoning

Before starting we need to give some additional permission to the log file with the help of which other users can read log files from the 👥 browser.

We will use the following command to continuously read the upcoming logs.

Now we have to go back to the kali linux and check whether the ssh port is visible from the attacker’s side.

As we know the auth.log file generates a log in every success and failed login attempt. Now we will try to connect as fake users, which will contain malicious php code.
Usage 🙂 <- ssh code@vicitm IP Address ->

Now you can see that the malicious PHP code has arrived in the log file.

Now we can take advantage of this vulnerability by execute the arbitrary command on browser such as

Now lets try to take the meterpreter of the web server.

Paste and execute the above highlighted php code on the browser as shown below.

Great !! 🙂 Our meterpreter is finally come to here.

About the Author
Shubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Connect on Linkedin and Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *