SSI Exploitation
Results 1 to 7 of 7

Thread: SSI Exploitation

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    20

    SSI Exploitation

    How does SSI exploitation works?
    \"SpeAk YouRSelF\"

  2. #2
    Banned
    Join Date
    Jul 2002
    Posts
    877

    Re: SSI Exploitation

    Originally posted here by Kulay
    How does SSI exploitation works?
    Thats not exactly the type of thing to be asking around here. Infact I think this is only half a step above asking how hotmail "hacking" works . But im bored so im just going to go ahead and answer your stupid ****ing question...

    if I remember correctly... if there is a script that prints the output in a .shtml file then it might be possible to insert file includes, and if it has shity server configuration you've also got execution of commands. Below this is a very poor example of a attacker inserting SSI tags into the Referrer and User-Agent fields. Depending on whether the software outputs this information as text or in image form this could possably lead to a possible file includes or maybe even command execution.

    ______________________________________
    su-2.05# telnet localhost 80
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    GET / HTTP/1.0
    Referer:
    User-Agent:

    HTTP/1.1 200 OK
    Date: Sun, 10 Aug 2003 00:0:00 GMT
    Server: Sux
    Connection: close
    Content-Type: text/html
    ______________________________________

    I hope the lame question has been succesfully answered. And by the way dude, your welcome ya damn moron.

  3. #3
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    so fisty eh |The|Specialist

    He could also ask this question out of the "security" point of view so he won't make his scripts real insecure by not caring about ssi.
    One example you gave is if the output is somehow stored into an .shtml file wich can have server side includes (ssi) enabled. That can be a way for lazy programmers to add files or commands into a simple .shtml file, without needing all kinds of cgi or other scripty things. You can for instance add header files with the logo of your website and the css thingys in it to the top of all shtml files, so you don't have to copy and paste it too all them. If you, however make a script that asks for a name or something with no input filtering and you put on the shtml page something like "Hi, <insert name here with some script>" a malicious user could insert a ssi tag (see thespecialists post) and get the /etc/passwd file on the page.

    I know I explained this very shitty, but well... go search on google and you'll find a thousenth times better info then I could type here in hours.
    Double Dutch

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    380
    I think this question has to do with the following post

    http://www.antionline.com/showthread...hreadid=245613

    That "Hack This Site" challenge has spurred quite a bit of "How to hack" questions lately.
    [shadow]Scorp666, the Infamous Orgasmatron[/shadow]

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    my two cents:

    SSI just like any other web technology, when used in the wrong way can be exploited. SSI for example can execute system commands. If we think the power a malicious person can do with this ability, the posibilitys are endless. This is why most free web hosts disable ssi. This is not nesisary that they dont trust you, but they dont trust anyone includeing your site visitors. When ssi statements such as exec are placed into a html document, these powers become available. Say you upload a new shtml document to the host, you could be the malicious one. Or you may not be malicious but maybe someone who signes your guestbook might.

    Anyway an atacker can get a ssi enabled page to be parsed by the server, can exploit the server. Filling in a web form such as a guest book for example are common ways used to inject ssi into a already existing ssi document. I will not go into details on how to do this however.

  6. #6
    Junior Member
    Join Date
    Feb 2003
    Posts
    20
    tanx, somhow ive learn something out of it. just for curiosity, is there any security for this?
    \"SpeAk YouRSelF\"

  7. #7
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    yes, disable ssi on the server side
    Double Dutch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •