Month: March 2014

LFI to shell – exploiting Apache access log

Local file inclusion (LFI) is normally known to be used to extract the contents of different files of the server the site is hosted on. This includes files like passwd, hosts, etc. But have you ever thought about how you could take this to another level? A level where you can initialize reverse shell, get a browser shell on the server (c99, b374k, etc).

Well, this is what I am going to explain in this post 🙂 So let’s no waste any more time, and let’s get hacking instead! (more…)