Server-Side Includes (SSI) Injection

什麽是SSI和SSI註入

SSI是英文Server Side Includes的縮寫，翻譯成中文就是服務器端包含的意思。從技術角度上說，SSI就是在HTML文件中，可以通過註釋行調用的命令或指針。SSI具有強大的功能，只要使用一條簡單的SSI 命令就可以實現整個網站的內容更新，時間和日期的動態顯示，以及執行shell和CGI腳本程序等復雜的功能。SSI 可以稱得上是那些資金短缺、時間緊張、工作量大的網站開發人員的最佳幫手。本文將主要結合Apache服務器介紹SSI的使用方法。

ps：(Server-side Includes) 服務器端包含提供了一種對現有HTML文檔增加動態內容的方法。apache和iis都可以通過配置支持SSI，在網頁內容被返回給用戶之前，服務器會執行網頁內容中的SSI標簽。在很多場景中，用戶輸入的內容可以顯示在頁面中，比如一個存在反射XSS漏洞的頁面，如果輸入的payload不是xss代碼而是ssi的標簽，服務器又開啟了ssi支持的話就會存在SSI漏洞

輸入表單，lookup之後

核心代碼

 1 <div id="main">
 2 
 3     <h1>Server-Side Includes (SSI) Injection</h1>
 4 
 5     <p>What is your IP address? Lookup your IP address... (<a href="http://sourceforge.net/projects/bwapp/files/bee-box/" target="_blank">bee-box</a> only)</p>
 6
 
 
 7     <form action="<?php echo($_SERVER["SCRIPT_NAME"]);?>" method="POST">
 8 
 9         <p><label for="firstname">First name:</label><br />                                        //firstname表單
10         <input type="text" id="firstname" name="firstname"></p>
11
 
 
12         <p><label for="lastname">Last name:</label><br />                                          //lastname表單
13         <input type="text" id="lastname" name="lastname"></p>
14 
15         <button type="submit" name="form" value="submit">Lookup</button>  
16 
17     </form>
18 
19     <br />
20     <?php
21 
22     if($field_empty == 1)                                                              //這裏的PHP只是判斷是否有輸入
23     {
24 
25         echo "<font color=\"red\">Please enter both fields...</font>";
26 
27     }
28 
29     else
30     {
31 
32         echo "";
33 
34     }
35 
36     ?>
37 
38 </div>

防護代碼

 1 $field_empty = 0;
 2 
 3 function xss($data)                                                
 4 {
 5 
 6     switch($_COOKIE["security_level"])
 7     {
 8 
 9         case "0" :
10 
11             $data = no_check($data);
12             break;
13 
14         case "1" :
15 
16             $data = xss_check_4($data);
17             break;
18 
19         case "2" :
20 
21             $data = xss_check_3($data);
22             break;
23 
24         default :
25 
26             $data = no_check($data);
27             break;
28 
29     }       
30 
31     return $data;
32 
33 }
34 
35 if(isset($_POST["form"]))
36 {
37 
38     $firstname = ucwords(xss($_POST["firstname"]));                                            //ucwords()首字母大寫
39     $lastname = ucwords(xss($_POST["lastname"]));
40 
41     if($firstname == "" or $lastname == "")
42     {
43 
44         $field_empty = 1;
45 
46     }
47 
48     else
49     {
50 
51         $line = ‘<p>Hello ‘ . $firstname . ‘ ‘ . $lastname . ‘,</p><p>Your IP address is:‘ . ‘</p><h1><!--#echo var="REMOTE_ADDR" --></h1>‘;
52 
53         // Writes a new line to the file
54         $fp = fopen("ssii.shtml", "w");
55         fputs($fp, $line, 200);
56         fclose($fp);
57 
58         header("Location: ssii.shtml");
59 
60         exit;
61 
62     }
63 
64 }
65 
66 ?>

1.low

low級別，沒有防護

能xss

還能構造這種payload

<[email protected] var ="DOCUMEN_NAME"-->

還能構造成exec

2.medium

function xss_check_4($data)
{
 
 // addslashes - returns a string with backslashes before characters that need to be quoted in database queries etc.
 // These characters are single quote (‘), double quote ("), backslash (\) and NUL (the NULL byte).
 // Do NOT use this for XSS or HTML validations!!!
 
 return addslashes($data);         
 
}

addslashes（）在符號前加反斜線

3.high

 1 function xss_check_3($data, $encoding = "UTF-8")
 2 {
 3 
 4     // htmlspecialchars - converts special characters to HTML entities    
 5     // ‘&‘ (ampersand) becomes ‘&‘ 
 6     // ‘"‘ (double quote) becomes ‘"‘ when ENT_NOQUOTES is not set
 7     // "‘" (single quote) becomes ‘'‘ (or ') only when ENT_QUOTES is set
 8     // ‘<‘ (less than) becomes ‘&lt;‘
 9     // ‘>‘ (greater than) becomes ‘&gt;‘  
10     
11     return htmlspecialchars($data, ENT_QUOTES, $encoding);
12        
13 }

將預定義的字符裝換為html實體字符

bWAPP----Server-Side Includes (SSI) Injection