info ‐ SSI Injection - taylorjohn/hacking GitHub Wiki

List of SSI Directives with Descriptions:

1. include:

   • Syntax: <!--#include virtual="/header.html" -->
   • Description: Includes the content of the specified file into the current HTML page.

2. echo:

   • Syntax: <!--#echo var="DATE_LOCAL" -->
   • Description: Outputs the value of the specified variable, such as the current date.

3. exec:

   • Syntax: <!--#exec cmd="whoami" -->
   • Description: Executes the specified shell command on the server and outputs the result.

4. config:

   • Syntax: <!--#config timefmt="A %B %d %Y %r" -->
   • Description: Configures various settings, such as the date and time output format.

5. fsize:

   • Syntax: <!--#fsize file="ssi.shtml" -->
   • Description: Displays the size of the specified file.

6. Other SSI Directives:

   • access:

     • Syntax: <!--#access file="filename" -->
     • Description: Checks if the specified file is accessible.

   • errmsg:

     • Syntax: <!--#config errmsg="File not found" -->
     • Description: Sets the error message to be displayed if a file is not found.

   • document_name:

     • Syntax: <!--#echo var="DOCUMENT_NAME" -->
     • Description: Outputs the name of the current document.

   • document_uri:

     • Syntax: <!--#echo var="DOCUMENT_URI" -->
     • Description: Outputs the virtual path and filename of the current document.

   • set:

     • Syntax: <!--#set var="varname" value="value" -->
     • Description: Sets the value of the specified variable.

   • flastmod:

     • Syntax: <!--#flastmod file="filename" -->
     • Description: Outputs the last modification date of the specified file.

   • include virtual:

     • Syntax: <!--#include virtual="filename" -->
     • Description: Includes the content of the specified file into the current HTML page.

   • exec cgi:

     • Syntax: <!--#exec cgi="cgi-script" -->
     • Description: Executes the specified CGI script.

   • printenv:

     • Syntax: <!--#printenv -->
     • Description: Outputs all environment variables.

   • if:

     • Syntax: <!--#if expr="expression" -->
     • Description: Conditional directive based on the specified expression.

Description of SSI Injection: SSI (Server-side Include) injection is a vulnerability that allows attackers to inject malicious code into a web application/server. It occurs due to improper validation of user input, allowing execution of injected code upon page load. Attackers exploit this vulnerability to execute arbitrary commands on the server, potentially accessing sensitive data or compromising server security.

Steps in SSI Injection Attack:

1. Identify Vulnerability: Check if SSI characters/operators are properly validated in the web application.
2. Check Server Support: Confirm SSI support by examining file extensions like .stm, .shtm, or .shtml.
3. Execute Attack: Inject test SSI commands to confirm vulnerability, then execute malicious commands to achieve objectives.

Example SSI Injection Commands:

• Linux:
  • <!--#exec cmd="ls" -->: List files in directory.
  • <!--#exec cmd="cd /root/dir/" -->: Access directories.
• Windows:
  • <!--#exec cmd="dir" -->: List files in directory.
  • <!--#exec cmd="cd C:\admin\dir" -->: Access directories.

By understanding SSI directives and the risk of injection attacks, developers can implement proper input validation and security measures to safeguard web applications against exploitation.

Preventing SSI Injection:

1. Input Validation: Validate and sanitize user input to prevent injection attacks.
2. Output Encoding: Encode user-supplied data included in server-side scripts to prevent execution.
3. Disable Unnecessary Directives: Limit the use of SSI directives to minimize attack surface.
4. Security Audits: Regularly audit and test application security to identify and mitigate vulnerabilities.

By understanding SSI injection and implementing appropriate security measures, web applications can protect against this type of exploit, safeguarding sensitive data and server integrity.