Bwapp----server-side includes (SSI) injection

Source: Internet
Author: User
Tags button type time and date

Server-side includes (SSI) injection

What is SSI and SSI injection

SSI is an abbreviation for the English server Side includes, translated into Chinese is the server side of the meaning of the inclusion. Technically speaking, SSI is a command or pointer that can be invoked in an HTML file by a comment line. SSI has powerful features that allow for the entire site to be updated, dynamically displayed in time and date, and complex functions such as executing shell and CGI scripts, with a simple SSI command. SSI can be called the best helper for Web developers who are short of money, time-strapped, and heavy-workload. This article will mainly combine Apache server to introduce the use of SSI.

PS: (server-side includes) server-side inclusion provides a way to add dynamic content to existing HTML documents. Both Apache and IIS can be configured to support SSI, and the server executes the SSI tag in the Web page content before the page content is returned to the user. In many scenarios, user-entered content can be displayed in the page, such as a reflection XSS vulnerability in the page, if the input payload is not XSS code but SSI's label, the server also opened SSI support, there will be an SSI vulnerability

Enter form, after lookup

Core code

1<div id= "Main" >2 34 5<p>what is your IP address? Lookup Your IP address ... (<a href= "" target= "_blank" >bee-box</a> only) < /p>6 7<form action= "<?php Echo ($_server["Script_name"]);? > "method=" POST ">8 9<p><label for= "FirstName" >first name:</label><br/>//firstname FormTen<input type= "text" id= "FirstName" name= "FirstName" ></p> One  A<p><label for= "LastName" >last name:</label><br/>//lastname Form -<input type= "text" id= "LastName" Name= "LastName" ></p> -  the<button type= "Submit" name= "form" value= "Submit" >Lookup</button> -  -</form> -  +<br/> -<?PHP +  A     if($field _empty= = 1)//php here just to determine if there is an input at     { -  -         Echo"<font color=\" red\ ">please enter both fields...</font>"; -  -     } -  in     Else -     { to  +         Echo""; -  the     } *  $?>Panax Notoginseng  -</div>

Protection Code

1 $field _empty= 0;2 3 functionXss$data)                                                4 {5 6     Switch($_cookie["Security_level"])7     {8 9          Case"0":Ten  One             $data= No_check ($data); A              Break; -  -          Case"1": the  -             $data= Xss_check_4 ($data); -              Break; -  +          Case"2": -  +             $data= Xss_check_3 ($data); A              Break; at  -         default: -  -             $data= No_check ($data); -              Break; -  in     }        -  to     return $data; +  - } the  * if(isset($_post["Form"])) $ {Panax Notoginseng  -     $firstname=Ucwords(XSS ($_post["FirstName"])); Ucwords () Capitalize first letter the     $lastname=Ucwords(XSS ($_post["LastName"])); +  A     if($firstname= = "" or$lastname== "") the     { +  -         $field _empty= 1; $  $     } -  -     Else the     { - Wuyi         $line= ' <p>hello '.$firstname. ‘ ‘ .$lastname. ', </p><p>your IP address is: '. ' </p>; the  -         //writes a new line to the file Wu         $fp=fopen("Ssii.shtml", "W"); -         fputs($fp,$line, 200); About         fclose($fp); $  -         Header("Location:ssii.shtml"); -  -         Exit; A  +     } the  - } $  the?>


Low level, no protection


You can also construct this payload.

<[email protected] var = "Documen_name"-

can also be constructed as exec


function xss_check_4 ($data) {  //  addslashes-returns a string with Backslashes before characters that need to being quoted in database queries etc.//These characters is single quote ('), do Uble quote ("), backslash (\) and NUL (the NULL byte). Do not use the this for XSS or HTML validations!!!  return addslashes ($data);          }
addslashes() with a backslash in front of the symbol


1 functionXss_check_3 ($data,$encoding= "UTF-8")2 {3 4     //Htmlspecialchars-converts special characters to HTML entities5 //' & ' (ampersand) becomes ' &amp; '6 //' "' (double quote) becomes ' &quot; ' when ent_noquotes are not set7 //"'" (single quote) becomes ' & #039; ' (or &apos;) only if Ent_quotes is set8 //' < ' (less than) becomes ' &lt; '9 //' > ' (greater than) becomes ' &gt; ' Ten      One     return Htmlspecialchars($data, Ent_quotes,$encoding); A         -}

To replace a predefined character with an HTML entity character

Bwapp----server-side includes (SSI) injection

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.