The Zip Slip vulnerability revolves around the unsafe extraction of compressed files within applications. It occurs when software mishandles paths embedded within zipped archives during extraction. This flaw enables attackers to manipulate file paths, potentially leading to the extraction of sensitive files beyond the intended folders. Essentially, Zip Slip poses a risk by allowing malicious actors to navigate through directories, gaining access to critical system files and compromising application security.
In this article we will understand zip slip vulnerability through a vulnerable zip slip machine.
Access the machine from this GitHub repository. How to run the project is shown in the Github repository.
After installing the machine, we will deepen the vulnerability.
After the website is installed, it will appear as follows.
As seen in the screenshot above, there is a ‘File Upload’ button. Clicking on this button opens a modal containing a file upload form.
At this step, we need to add any zip file to the system. To create a zip file, we should follow the steps shown in the screenshot below.
After this step, we should upload file.zip file.
Now, we need to create a zip file that triggers the vulnerability.
In the screenshot above, a file named ‘bash.sh’ is being added under the ‘tmp’ directory. Data is being entered into this file. Afterward, a zip file named ‘zipslip.zip’ is created using this file.
The zip file has been uploaded as shown in the screenshot below
To further exploit the vulnerability, we can modify the content of the ‘index.html’ file. For this, we first need to appropriately create the ‘index.html’ file.
After this step, we’ll notice that the homepage of the site has changed.
During the creation of the malicious payload, we used the ‘../index.html’ statement because the ‘index.html’ file is located in the project’s root directory, and the zip files are extracted into the ‘uploads’ folder. Here, by using a directory traversal payload, we were able to write our file to the root directory. However, attempting to write a file to the root directory without knowing the file structure of the project could result in failure or, conversely, be extremely dangerous.