Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Has anyone seen
Posted by: rsnake
Date: August 21, 2006 12:26PM

The other day I was talking with Jeremiah Grossman and I couldn't come up with a single example for the SSI include injection stuff. PHP injection is far more common these days because it's just more widely used language than shell. Has anyone seen this or have a working example they'd like to show? I know it's possible because I can create something that is exploitable, but not because I've ever seen it in the wild. Also, am I missing anything? Is there anything beyond SSI and PHP that is exploitable that should be mentioned on the XSS Cheat Sheet?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Has anyone seen
Posted by: kirke
Date: September 21, 2006 09:28AM

SSI injecten is very limited, even it was one of the first vulnerabilities ever published (beside some CGI flaws, see corresponding RFC).
I. g. Injectiuon is only possible if the SSI code in the page contains user provided variables, as usual. For example:

<!-- echo var="QUERY_STRING" -->

I'm not sure if there're servers which a vulnerable to something like:

<!-- if expr="${QUERY_STRING} == /heureca/" -->

I've never seen vulnerable SSI, but if the server parses SSI, and you're able to upload files, somehow, then you got a persistant attack ;-)

Options: ReplyQuote
Re: Has anyone seen
Posted by: rsnake
Date: September 21, 2006 10:33AM

That was my feeling too... I've never actually seen one that's vulnerable. I've seen plenty of file includes that are vulnerable in PHP, but I think of that as slightly different because it involves pulling in a remote file. I think one of the other problems is that SSI largely used the .shtml extention, and there are practically no pages called *.shtml that I'm aware of.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Has anyone seen
Posted by: kirke
Date: September 21, 2006 11:40AM

managed to check the if-condition example on an old apache 1.3.x: it's not vulnerable

> .. file includes
SSI has this functionality too, but it needs to use the varaibles passed from the client to exploit it. Something like:

<!--#include virtual="/bin/ls <!--#echo var="QUERY_STRING" -->" -->

Note these nested double quotes here (funny that programmers managed to parse that 20 years ago, while modern java-adicts miserably fail:)

> .. problems is that SSI largely used the .shtm ..
I doubt. Most configs I've seen use .htm[l] for SSI too, 'cause of lazyness of the programmers and admins (permanently ignoring the performance penulty they get with that)
I.g. you cannot check if SSI is enabled with a blackbox test. Sigh.

Options: ReplyQuote
Re: Has anyone seen
Posted by: rsnake
Date: September 21, 2006 05:59PM

Hm, odd... I've never seen SSI installed as anything other than .shtml... but I guess laziness is the reason for that. Thankfully it's not turned on by default anyway.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.