Lets think about Server Side Include first.
According to the vulnerability of Server Side Include. We can inject our malicious payloads to write into file that hosted at server side.
For Example :
$file = ‘server_file.php’;
For this example code, our injected payload will save in server_file.php . We can see that file is PHP file. So we can inject php code easily.
<?php echo `ls`; ?>
What happened in server.php ?
This is normal case for SSI Injection. Ok, if the server_file is not PHP , lets take a look.
$file = ‘server_file.html’;
In this situration , we can’t inject php code at html file. So what?
It work? Sure.
But , if we need to inject PHP for getting RCE , we have another option.
When web application has another Local File Inclusion, LFI in a condition that is not allowed to view “/proc/self/environ” , Log Files , No file upload and not supported PHP wrappers , etc..
So what can we do? Accessing SSI file to execute php code may be.
Lets call server_file.html from LFI side.
Ok. This is thinking about way to exploit for SSI from LFI. Now we will think about LFI like SSI Injection.
Now we have LFI vulnerable site.
Let it as no “/proc/self/environ” , no log poisoning , it only work for PHP wrapper.
It not worked here.
We can’t download using with shell_exec() , exec() , passthru() , etc…
But we can execute PHP function. Lets time to think about SSI. What php functions can make a file?
file_put_contents() ? Yeah Sure.
$file = ‘lunam00n.php’;
file_put_contents($file, “<?php echo `ls -al`;?>”, FILE_APPEND | LOCK_EX);
You can use instead as uploader.
Thanks for the reading xD
Actually you can find many of LFI or SSI tutorials and articles on web. I don’t know what should be reference. Bcos of many tutorials and articles are there. This is my articles for concepts with File Inclusion (Local and Server).