bWAPP----Server-Side Includes (SSI) Injection

標籤：檔案   pos   exec   構造   字母   工作   button   一個   ati   

Server-Side Includes (SSI) Injection

 

什麼是SSI和SSI注入

     SSI是英文Server Side Includes的縮寫，翻譯成中文就是伺服器端包含的意思。從技術角度上說，SSI就是在HTML檔案中，可以通過注釋行調用的命令或指標。SSI具有強大的功能，只要使用一條簡單的SSI 命令就可以實現整個網站的內容更新，時間和日期的動態顯示，以及執行shell和CGI指令碼程式等複雜的功能。SSI 可以稱得上是那些資金短缺、時間緊張、工作量大的網站開發人員的最佳幫手。本文將主要結合Apache伺服器介紹SSI的使用方法。 

     ps：(Server-side Includes) 伺服器端包含提供了一種對現有HTML文檔增加動態內容的方法。apache和iis都可以通過配置支援SSI，在網頁內容被返回給使用者之前，伺服器會執行網頁內容中的SSI標籤。在很多情境中，使用者輸入的內容可以顯示在頁面中，比如一個存在反射XSS漏洞的頁面，如果輸入的payload不是xss代碼而是ssi的標籤，伺服器又開啟了ssi支援的話就會存在SSI漏洞

輸入表單，lookup之後

 

核心代碼

 

 1 <div id="main"> 2  3     <h1>Server-Side Includes (SSI) Injection</h1> 4  5     <p>What is your IP address? Lookup your IP address... (<a href="http://sourceforge.net/projects/bwapp/files/bee-box/" target="_blank">bee-box</a> only)</p> 6  7     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST"> 8  9         <p><label for="firstname">First name:</label><br />                                        //firstname表單10         <input type="text" id="firstname" name="firstname"></p>11 12         <p><label for="lastname">Last name:</label><br />                                          //lastname表單13         <input type="text" id="lastname" name="lastname"></p>14 15         <button type="submit" name="form" value="submit">Lookup</button>  16 17     </form>18 19     <br />20     <?php21 22     if($field_empty == 1)                                                              //這裡的PHP只是判斷是否有輸入23     {24 25         echo "<font color=\"red\">Please enter both fields...</font>";26 27     }28 29     else30     {31 32         echo "";33 34     }35 36     ?>37 38 </div>

 

 

防護代碼

 1 $field_empty = 0; 2  3 function xss($data)                                                 4 { 5  6     switch($_COOKIE["security_level"]) 7     { 8  9         case "0" :10 11             $data = no_check($data);12             break;13 14         case "1" :15 16             $data = xss_check_4($data);17             break;18 19         case "2" :20 21             $data = xss_check_3($data);22             break;23 24         default :25 26             $data = no_check($data);27             break;28 29     }       30 31     return $data;32 33 }34 35 if(isset($_POST["form"]))36 {37 38     $firstname = ucwords(xss($_POST["firstname"]));                                            //ucwords()首字母大寫39     $lastname = ucwords(xss($_POST["lastname"]));40 41     if($firstname == "" or $lastname == "")42     {43 44         $field_empty = 1;45 46     }47 48     else49     {50 51         $line = ‘<p>Hello ‘ . $firstname . ‘ ‘ . $lastname . ‘,</p><p>Your IP address is:‘ . ‘</p><h1><!--#echo var="REMOTE_ADDR" --></h1>‘;52 53         // Writes a new line to the file54         $fp = fopen("ssii.shtml", "w");55         fputs($fp, $line, 200);56         fclose($fp);57 58         header("Location: ssii.shtml");59 60         exit;61 62     }63 64 }65 66 ?>

1.low

low層級，沒有防護

能xss

還能構造這種payload

<[email protected] var ="DOCUMEN_NAME"-->

還能構造成exec

2.medium

function xss_check_4($data){  // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc. // These characters are single quote (‘), double quote ("), backslash (\) and NUL (the NULL byte). // Do NOT use this for XSS or HTML validations!!!  return addslashes($data);          }

addslashes（）在符號前加反斜線

3.high

 1 function xss_check_3($data, $encoding = "UTF-8") 2 { 3  4     // htmlspecialchars - converts special characters to HTML entities     5     // ‘&‘ (ampersand) becomes ‘&amp;‘  6     // ‘"‘ (double quote) becomes ‘&quot;‘ when ENT_NOQUOTES is not set 7     // "‘" (single quote) becomes ‘&#039;‘ (or &apos;) only when ENT_QUOTES is set 8     // ‘<‘ (less than) becomes ‘&lt;‘ 9     // ‘>‘ (greater than) becomes ‘&gt;‘  10     11     return htmlspecialchars($data, ENT_QUOTES, $encoding);12        13 }

將預定義的字元裝換為html實體字元

 

bWAPP----Server-Side Includes (SSI) Injection