SSI Injection


Command Injection & SSI
Foxy Proxy
8m 49s

The course is part of this learning path

Start course

In this course, we continue working on bWAPP and we're going to use it to learn about some new attacks, namely command injection and SSI vulnerabilities.


Hi, within this lecture we're going to continue covering some kind of injections. And this time, we're going to cover something called SSI Injection. Again this is an injection but most probably you haven't heard this before if you're not into web testing or if you're not a web developer. So, just go for the Server-Side Includes Injection and I'm going to tell you what it is. So, , we're going to learn about this SSI and we're going to try and inject it. So, what's an SSI?

It's actually server-side as you can see. So, let me just search for it and you will understand what it is. So, SSI Server-Side Includes. So, it' s server-side. It runs on the server and it's actually a server-side scripting language. It's kind of a scripting language or programming language, but it's very easy. Its usage is very limited but it's used in web development. So, if you go to Wikipedia for this, you can see that it's an interpreted server-side scripting language. So, it's almost exclusively used for worldwide web. So, if you're not developing your website, there is no reason to use this at all. And they're kind of directives that are kind of commands that you use in this SSI scripting language And most popular one is the include directive.

So, they try to include some pages or they try to include some sources into somewhere by using this SSI scripting language but there are also other directives or commands as well. So, as you can see, in order for web server to be SSI enabled, you can just look for the extensions like shtml or stm, shtm. So, if you want to understand whether this website uses SSI, you can just see the extensions of the current web page. We're going to see how it looks like. So, let me go to other tutorial that we have found from Google. Here we go. We have different kind of directives, different kind of usage in here. I believe we have it in there as well. Here we go. So, we have the include directive as I said before. So, the most used SSI directive, it allows the content of one documentary transmuted in another. So, they use it every time in web development and they generally don't use the exec command or echo command or config or flastmode or something like that, but it can be used as well. So, they generally use this. For example, this web page contains a daily quotation and they can just include this by using this syntax. And syntax looks like we are taking a note in html, right? So, it's a little bit weird but we can totally use this. And we can use this of course, we can try to include some stuff if we have some I don't know, hidden files or something to show like we have done in previous sections, but over here we have the exec command as well. So, echo command, config commands, the fsize command, we're not particularly interested in them but we are interested in the execute command. So, rather than include, we're going to try with execute which makes much more sense, because in the echo we can just write something like show some scripting or show some paragraphs to the user. It won't do much. And in include, we can just show maybe some kind of files and folders but in execute we can execute commands if this works. As you can see there's a syntax for that as well. So, just try to copy this or it's very pretty easy. You can just write it on your own. Just pose the video and write it. It will be a practice for you. So, what it does, it tries to execute this command on server. So, it tries to execute LS command as you can see. Of course, we can write any command that we want and we will. So, I'm going to copy this and come back to here not here and not there but to bWAPP. And over there as you can see, it looks for the IP address.

Let's try without an injection first. If I say look up, it will say, "Hello, your IP addresses this". So, this is what it does. And maybe we can see the SSI code from here. Let me try and see. I'm going to inspect the element. Here we go We have the HTML file. And if you go to debugger, we should have seen it in the debugger if we had any kind of codes over here. So I believe we cannot see it. Yep, in the storage, there is no point looking at here. So, it would have popped up in the debugger if we had the chance to see it. But, there isn't any point to see that because if you look at the URL, it's already shtml. So, I know that this is definitely SSI. So, I can try to inject SSI. And in order to do that, I'm just going to paste the thing that I have copied to first name section or last name section. By the way, sometimes it works in first name but it doesn't work in the last name and vice a versa. Not in this case, it works everywhere in this case, but in real life examples. So, again, this command is written like this, syntax is like this. Make sure you spell it out exactly like this rather than LSL. I'm just going to try and run LS, okay? So, I'm going to give so mething over here and say, "Lookup". And here you go. Now, we get the part over here. We get the LS result back in here. So, forget about the LS. I'm just going to go in and hit the net cat. I'm going to say, "nc". So, this is my IP address and I'm going to go for ports 1,2,3,4 and I'm going to execute this within bin bash and yep, here we go. I'm not going to delete this. I'm going to say, "sam" and of course I'm going to listen it from here as well 'nvlp 1234'. Let's see if we can hack this website. I'm going to say, 'Lookup' and here you go. We got the connection back. So, "whoami"?

I'm data. Very very good. So, now you know about SSI. We're going to stop here and continue talking about this particular subject in the next lecture as well.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.