SSI injection attack

SSI injection attack


How about we imagine we have a web application with various pages and each page requires an adjustment of the route menu or header/footer text before we start. Physically changing the HTML code for each page would be awkward. This is the place where the SSI (Server Side Includes Injection) highlight proves to be useful. It can infuse the necessary material into all pages powerfully.

Learning Objectives

What is SSI injection?

SSIs are Web application orders that are utilized to give dynamic substance into a HTML page. SSIs are like CGIs, then again, actually they are utilized to do exercises previously or during the representation of a page. Prior to conveying the page to the client, the web server analyzes SSI.

SSI Injection Attack Scenario

Let us analyse some ssi injection examples

Model 1

SSI infusion orders vary contingent upon the server working framework being used. The linguistic structure for executing OS orders is displayed underneath.


Documents in the index are recorded underneath.

<!--#executive cmd="ls" - - >

Access catalogs:

<!--#executive cmd="cd/root/dir/">

Execution script:

<!--#executive cmd="wget | rename shell.txt shell.php" - - >


List documents of index:

<!--#executive cmd="dir" - - >

Access indexes:

<!--#executive cmd="cd C:\admin\dir">

Model 2

Further SSI situations for getting and setting server information include:

To change the result of the blunder message, do the accompanying:

	<!--#config errmsg="File not found, illuminates clients and secret word"- - >

To show the current record's filename, type:

	<!--#reverberation var="DOCUMENT_NAME" - ->

To show the virtual way and filename, type:

	<!--#reverberation var="DOCUMENT_URI" - - >

The date and time yield arrangement can be altered utilizing the "config" order and the "timefmt" boundary:

	<!--#config timefmt="A %B %d %Y %r"- - >

It is feasible to yield the size of a predetermined record utilizing the "fsize" order:

	<!--#fsize file="ssi.shtml" - - >

How to test for SSI injection?

Infuse SSI guidelines as client contribution to test for exploitable SSI. The server will execute the mandate assuming SSI is empowered and client input approval isn't accurately carried out. Similarly, that a conventional prearranging language infusion weakness happens when client input isn't as expected assessed and cleaned, this weakness emerges when client input isn't as expected approved and disinfected.

Decide if the web server upholds SSI orders first. Since SSI help is so famous, the reaction is often yes. Find the kind of web server that the objective is running utilizing data gathering methods to check whether SSI mandates are upheld (see Fingerprint Web Server). Assuming you approach the code, search for specific terms in the webserver arrangement documents to check whether SSI orders are utilized.

Checking for pages with the.shtml postfix, which is connected with SSI mandates, is one more method to guarantee that SSI orders are empowered. Since the.shtml expansion isn't needed, the nonappearance of .shtml documents doesn't be guaranteed to suggest that the objective is safe to SSI infusion assaults.

The following stage is to recognize all conceivable client input vectors and assess regardless of whether the SSI infusion can be taken advantage of.

To start, find each of the pages that take into consideration client input. Headers and treats are instances of possible info vectors. Decide how the info is saved and utilized, for example, whether it is returned as a blunder message or a page component, and whether it has been refreshed. Knowing where the information vectors are and the way that info is handled is more straightforward assuming you approach the source code.

You might check on the off chance that the info has been fittingly screened once you have a rundown of plausible infusion places. Learn that SSI orders like!#=/."- > can be infused. [a-zA-Z0-9] and [a-zA-Z0-9] are two models.

The code beneath returns the variable's worth. The references area contains helpful connections to server-explicit documentation that can support your assessment of a framework.

->!-#reverberation var="VAR" - >!- #echo var="VAR" - >!- #echo var

On the off chance that the gave document is a CGI script, the result of the CGI content will be incorporated while utilizing the incorporate mandate. This order can likewise be utilized to list documents in a registry or incorporate the substance of a record:

->!-#incorporate virtual="FILENAME" - >!- #include virtual="FILENAME" - >!- #include virtual="

To come by the aftereffect of a framework order, type:

->!-#executive cmd="OS COMMAND" - >!- #exec cmd="OS COMMAND" - >!- #exec cmd

The order is infused assuming that the application is helpless, and it is assessed by the server whenever the page is given.

Assuming the web application is utilizing that information to create a progressively produced page, the SSI orders can likewise be infused in the HTTP headers despite having an API security:



Referer: <!- - #exec cmd="/container/ps hatchet"- - >

Client Agent: <!- - #include virtual="/proc/variant"- - >

Remediation and prevention

Characters utilized in SSI mandates ought not be available, and client info ought to be approved. Another methodology of ssi injection prevention is to have the client input HTML encoded prior to showing it on the website pages. The orders can be restricted to the destinations where they are essential by independently adding them to the server's config document. SSI can be set up for.htm and.html pages also. We ought to keep away from using.stm,.shtm, and.shtml on our pages since they make it simpler for aggressors to uncover blemishes and ultimately forestall ssi injection remediation.

Subscribe for the latest news