Pin It

Server Side Includes Vulnerability - SSI SCAN [TOOL]



SSI-Scan is a basic PoC tool that helps facilitate the discovery of SSI injection vulnerabilities, a fairly rare and underdocumented code injection vulnerability where Server Side Includes directives are executed without proper validation and may lead to a system compromise.

The tool at this stage, among its core functionality, supports basic server enumeration, web form enumeration, HTML comment and SSI directive discovery, extension checking, logging scans to a file and connection to host via HTTP proxy.
SSI-Scan discovers vulnerabilities so far by two ways: the default method of sending a hardcoded SSI payload encapsulated within an HTTP POST request, or the manual method of injecting username and password forms through their respective switches. In both cases, it looks for environment variable matches in the source. Before using this tool, it is recommended you learn more about SSI injection from the following resources:

https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
http://capec.mitre.org/data/definitions/101.html

BASIC USAGE:

Starting the tool without any parameters will yield the list of
arguments and what they do.



Basic scanning is done via the -u option, e.g



If the default POST payload doesn't work (as in above), the tool will display a recommendation that you specifically target the forms with the --form_uname and --form_passwd switches. This will skip most of the
other enumeration functions.

For example:



The page has now clearly been proven to be injection positive. It is up to the user to manually research further into it, as SSI-Scan is not yet an exploitation tool, but likely will be in the near future.

ADVANCED USAGE:

The --logtofile <FILENAME_HERE> switch can be used to log scans to a file. Since it works by redirecting sys.stdout to a new variable, all output will be hidden during the duration of a scan, minus a "Log mode enabled" message.

The output can then be viewed from the specified file. The --proxy <IP:PORT> switch can be used to conduct a scan through an HTTP proxy (note that this can be substantially slower depending on the
proxy). A message displaying "Using proxy server at <IP address:port>"will appear on top.

--listvars is a placeholder switch that displays a partial list of SSI/CGI environment variables for informative purposes and potential future use.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags: ,


Kindly Bookmark it and Share it with Friends:

1 comments :

Anonymous said...

This tool can be downloaded from GitHub. Be sure to have the BeautifulSoup4 and mechanize libraries installed for Python.

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.