Bwapp----server-side includes (SSI) injection

Server-side includes (SSI) injection

What is SSI and SSI injection

SSI is an abbreviation for the English server Side includes, translated into Chinese is the server side of the meaning of the inclusion. Technically speaking, SSI is a command or pointer that can be invoked in an HTML file by a comment line. SSI has powerful features that allow for the entire site to be updated, dynamically displayed in time and date, and complex functions such as executing shell and CGI scripts, with a simple SSI command. SSI can be called the best helper for Web developers who are short of money, time-strapped, and heavy-workload. This article will mainly combine Apache server to introduce the use of SSI.

PS: (server-side includes) server-side inclusion provides a way to add dynamic content to existing HTML documents. Both Apache and IIS can be configured to support SSI, and the server executes the SSI tag in the Web page content before the page content is returned to the user. In many scenarios, user-entered content can be displayed in the page, such as a reflection XSS vulnerability in the page, if the input payload is not XSS code but SSI's label, the server also opened SSI support, there will be an SSI vulnerability

Enter form, after lookup

Core code

1<div id= "Main" >2 34 5<p>what is your IP address? Lookup Your IP address ... (<a href= "http://sourceforge.net/projects/bwapp/files/bee-box/" target= "_blank" >bee-box</a> only) < /p>6 7<form action= "<?php Echo ($_server["Script_name"]);? > "method=" POST ">8 9<p><label for= "FirstName" >first name:</label><br/>//firstname FormTen<input type= "text" id= "FirstName" name= "FirstName" ></p> One  A<p><label for= "LastName" >last name:</label><br/>//lastname Form -<input type= "text" id= "LastName" Name= "LastName" ></p> -  the<button type= "Submit" name= "form" value= "Submit" >Lookup</button> -  -</form> -  +<br/> -<?PHP +  A     if($field _empty= = 1)//php here just to determine if there is an input at     { -  -         Echo"<font color=\" red\ ">please enter both fields...</font>"; -  -     } -  in     Else -     { to  +         Echo""; -  the     } *  $?>Panax Notoginseng  -</div>

Protection Code

1 $field _empty= 0;2 3 functionXss$data)                                                4 {5 6     Switch($_cookie["Security_level"])7     {8 9          Case"0":Ten  One             $data= No_check ($data); A              Break; -  -          Case"1": the  -             $data= Xss_check_4 ($data); -              Break; -  +          Case"2": -  +             $data= Xss_check_3 ($data); A              Break; at  -         default: -  -             $data= No_check ($data); -              Break; -  in     }        -  to     return $data; +  - } the  * if(isset($_post["Form"])) $ {Panax Notoginseng  -     $firstname=Ucwords(XSS ($_post["FirstName"])); Ucwords () Capitalize first letter the     $lastname=Ucwords(XSS ($_post["LastName"])); +  A     if($firstname= = "" or$lastname== "") the     { +  -         $field _empty= 1; $  $     } -  -     Else the     { - Wuyi         $line= ' <p>hello '.$firstname. ‘ ‘ .$lastname. ', </p><p>your IP address is: '. ' </p>; the  -         //writes a new line to the file Wu         $fp=fopen("Ssii.shtml", "W"); -         fputs($fp,$line, 200); About         fclose($fp); $  -         Header("Location:ssii.shtml"); -  -         Exit; A  +     } the  - } $  the?>

1.low

Low level, no protection

Can XSS

You can also construct this payload.

<[email protected] var = "Documen_name"-

can also be constructed as exec

2.medium

function xss_check_4 ($data) {  //  addslashes-returns a string with Backslashes before characters that need to being quoted in database queries etc.//These characters is single quote ('), do Uble quote ("), backslash (\) and NUL (the NULL byte). Do not use the this for XSS or HTML validations!!!  return addslashes ($data);          }

addslashes() with a backslash in front of the symbol

3.high

1 functionXss_check_3 ($data,$encoding= "UTF-8")2 {3 4     //Htmlspecialchars-converts special characters to HTML entities5 //' & ' (ampersand) becomes ' &amp; '6 //' "' (double quote) becomes ' &quot; ' when ent_noquotes are not set7 //"'" (single quote) becomes ' & #039; ' (or &apos;) only if Ent_quotes is set8 //' < ' (less than) becomes ' &lt; '9 //' > ' (greater than) becomes ' &gt; ' Ten      One     return Htmlspecialchars($data, Ent_quotes,$encoding); A         -}

To replace a predefined character with an HTML entity character

Bwapp----server-side includes (SSI) injection