Server Side Includes Vulnerability - SSI SCAN [TOOL]


SSI-Scan is a basic PoC tool that helps facilitate the discovery of SSI injection vulnerabilities, a fairly rare and underdocumented code injection vulnerability where Server Side Includes directives are executed without proper validation and may lead to a system compromise.

The tool at this stage, among its core functionality, supports basic server enumeration, web form enumeration, HTML comment and SSI directive discovery, extension checking, logging scans to a file and connection to host via HTTP proxy.
SSI-Scan discovers vulnerabilities so far by two ways: the default method of sending a hardcoded SSI payload encapsulated within an HTTP POST request, or the manual method of injecting username and password forms through their respective switches. In both cases, it looks for environment variable matches in the source. Before using this tool, it is recommended you learn more about SSI injection from the following resources:

https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection
http://capec.mitre.org/data/definitions/101.html

BASIC USAGE:

Starting the tool without any parameters will yield the list of
arguments and what they do.



Basic scanning is done via the -u option, e.g



If the default POST payload doesn't work (as in above), the tool will display a recommendation that you specifically target the forms with the --form_uname and --form_passwd switches. This will skip most of the
other enumeration functions.

For example:



The page has now clearly been proven to be injection positive. It is up to the user to manually research further into it, as SSI-Scan is not yet an exploitation tool, but likely will be in the near future.

ADVANCED USAGE:

The --logtofile switch can be used to log scans to a file. Since it works by redirecting sys.stdout to a new variable, all output will be hidden during the duration of a scan, minus a "Log mode enabled" message.

The output can then be viewed from the specified file. The --proxy switch can be used to conduct a scan through an HTTP proxy (note that this can be substantially slower depending on the
proxy). A message displaying "Using proxy server at "will appear on top.

--listvars is a placeholder switch that displays a partial list of SSI/CGI environment variables for informative purposes and potential future use.