ZIP slip vulnerability

Today a workmate shared with me a vulnerability that called kingdee-Apusic-deployApp-upload. In this vul, I find request body is a zip file, but it's not successful that I want to modify this zip file in the request body. Finally, I found this vul is called zip-slip.

Directory traversal

I believe every programmer of cyber security knows about directory traversal vul. This vulnerability allows bypassing the application's access control by inserting ../. We can use ../ to access directories outside of the current directory, and download/read/write file in other directories.

Zip slip

zip slip is a type of directory traversal vul, We can upload a evil zip file, if the file is extracted, we will write a file into a directory where we intend.

How to create a zip file with zip slip? I find codes from zhihu

import zipfile
# the name of the zip file to generate
zf = zipfile.ZipFile('out.zip', 'w')
# the name of the malicious file that will overwrite the origial file (must exist on disk)
fname = 'sec_test.txt'
#destination path of the file
zf.write(fname, '../../../../../../../../../../../../../../../../../../../../../../../../tmp/sec_test.tmp')

This code creates a zip file named out.zip. And we can upload this zip file to the web which have directory traversal vul, and the zip file is extracted, and a file will be written into a directory.

《ZIP slip vulnerability》链接：https://xdym11235.com/archives/301.html
具体版权规定详见侧栏版权说明页面