1

As a beginner in security research project, I came across log injection and my question is itself about log injection files. Are log injection files executable, if no, how do they execute/run malicious code/files uploaded onto them, if log-injection vulnerability exists?

forest
  • 64,616
  • 20
  • 206
  • 257
Hrishikesh D Kakkad
  • 11
  • 2

2 Answers2

2

By reading your question, I think you are talking about log poisoning attacks.

For example, if you have discovered a vulnerability called local file inclusion (LFI), it could be possible to poison the logs that could result in code execution through log poisoning.

Let me give you some more details by showing some (very wrong) code:

<?php
  if (isset($_GET['file'])) {
     include($_GET['file']);
  }
?>

This code file include any file, execute it and display it in the user's browser. Now let's assume for a moment that the PHP open_basedir* is not configured.

https://www.somedomain.tld/index.php?file=contact.php

Now this would load the contact.php file which is located in the same directory as where the web pages served.

Now by changing the filename to something like this:

https://www.somedomain.tld/index.php?file=../../../../../var/log/nginx/access_log

In this scenario, let's assume that the log file is loaded and displayed in the user's browser. In this case it's already bad enough because you can basically load any file that the www-user has read access to.

Log Poisoning

Now let's inject some PHP code in the log file. This can be achieved by doing something like this:

https://www.somedomain.tld/index.php?file=<?php echo phpinfo(); ?>

Since this is an HTTP GET request, this will end up in the log file. This stage is called log file poisoning. Although the above request will most likely display an error, by re-reading the web server's log file, the code will be executed.

Code Execution

Since the web server log file is poisoned with the previously injected PHP code, but loading the web server's log file the following will happen:

  1. PHP reads the log file.
  2. PHP detects the PHP code in the log file.
  3. PHP will parse the PHP code and parse its output to the user's browser, displaying the PHP info.

Where to go from here

Use your imagination where to go from here. Here are few things that come to mind though:

  1. Try exec, passthru to see if you can execute commands (there is a difference beteen code and command execution)
  2. Use the command wget to download a web shell or a reverse shell.

To sum things up:

  1. Log files do not (should not) have the executable bit set.
  2. Read access to log files is enough to execute code after they're poisoned (this requires LFI)

  3. Web server logs are not the only log files that can be poisoned, and email could do the trick too.

    • = open_basedir is a directory restriction in PHP. When set, only files within the path of the open_basedir can be read.
Jeroen
  • 5,783
  • 2
  • 18
  • 26
1

There are no "log injection files". Logging can be done into files and injected logs will thus end up in the files too. Execution only comes into place if someone executes code based on data in the log files by assuming that these data can be trusted. It is not about executing log files itself.

For more see OWASP:Log Injection.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424