What starting position does this attack require?

The first step is PHP payload executes as the web user (W-CMDI) — a execution primitive. Assumed environment: PHP app with an include/require parameter that doesn't sanitize traversal.

What is the final impact of this kill-chain?

The final step lands on Read source + locate logs (W-PATH-TRAVERSAL), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

LFI → log poisoning → RCE

Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Execution

PHP payload executes as the web user

W-CMDI · OS Command Injection

Persistence

Drop webshell / reverse shell

W-WEBSHELL · Webshell Deployment

Execution

Inject PHP into User-Agent

W-LOG-POISONING · Log Poisoning + LFI

Lateral Movement

Include the poisoned log file

W-LFI · Local File Inclusion (LFI)

Lateral Movement

Find LFI parameter

W-LFI · Local File Inclusion (LFI)

?page=../../etc/passwd / php://filter/convert.base64-encode

Lateral Movement

Read source + locate logs

W-PATH-TRAVERSAL · Path Traversal

§ Context

Assumed environment: PHP app with an include/require parameter that doesn't sanitize traversal. Web server logs include User-Agent and the web user can read them.

§ Steps

01
PHP payload executes as the web userExecution
W-CMDI— OS Command Injection
02
Drop webshell / reverse shellPersistence
W-WEBSHELL— Webshell Deployment
03
Inject PHP into User-AgentExecution
W-LOG-POISONING— Log Poisoning + LFI
04
Include the poisoned log fileLateral Movement
W-LFI— Local File Inclusion (LFI)
05
Find LFI parameterLateral Movement
W-LFI— Local File Inclusion (LFI)
?page=../../etc/passwd / php://filter/convert.base64-encode
06
Read source + locate logsLateral Movement
W-PATH-TRAVERSAL— Path Traversal

§ Frequently asked

What is the "LFI → log poisoning → RCE" attack path?: Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is PHP payload executes as the web user (W-CMDI) — a execution primitive. Assumed environment: PHP app with an include/require parameter that doesn't sanitize traversal.
What is the final impact of this kill-chain?: The final step lands on Read source + locate logs (W-PATH-TRAVERSAL), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
File upload bypass → webshell → RCE
Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.

§ Context

§ Steps

§ Frequently asked

§ Related dossiers

File upload bypass → webshell → RCE