Zip Slip Vulnerability
2024-1-14 19:24:53 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏

Serhat ÇİÇEK

InfoSec Write-ups

Zip Slip Vulnerability

The Zip Slip vulnerability revolves around the unsafe extraction of compressed files within applications. It occurs when software mishandles paths embedded within zipped archives during extraction. This flaw enables attackers to manipulate file paths, potentially leading to the extraction of sensitive files beyond the intended folders. Essentially, Zip Slip poses a risk by allowing malicious actors to navigate through directories, gaining access to critical system files and compromising application security.

In this article we will understand zip slip vulnerability through a vulnerable zip slip machine.

Access the machine from this GitHub repository. How to run the project is shown in the Github repository.

After installing the machine, we will deepen the vulnerability.

After the website is installed, it will appear as follows.

Zip Slip
Zip Slip

As seen in the screenshot above, there is a ‘File Upload’ button. Clicking on this button opens a modal containing a file upload form.

Zip Slip Modal

At this step, we need to add any zip file to the system. To create a zip file, we should follow the steps shown in the screenshot below.

Create zip file

After this step, we should upload file.zip file.

Zip File Upload

Now, we need to create a zip file that triggers the vulnerability.

Zip Slip Payload

In the screenshot above, a file named ‘bash.sh’ is being added under the ‘tmp’ directory. Data is being entered into this file. Afterward, a zip file named ‘zipslip.zip’ is created using this file.

The zip file has been uploaded as shown in the screenshot below

To further exploit the vulnerability, we can modify the content of the ‘index.html’ file. For this, we first need to appropriately create the ‘index.html’ file.

Vulnerable Zip Slip
Zip Slip Upload

After this step, we’ll notice that the homepage of the site has changed.

Hack by Zip Slip

During the creation of the malicious payload, we used the ‘../index.html’ statement because the ‘index.html’ file is located in the project’s root directory, and the zip files are extracted into the ‘uploads’ folder. Here, by using a directory traversal payload, we were able to write our file to the root directory. However, attempting to write a file to the root directory without knowing the file structure of the project could result in failure or, conversely, be extremely dangerous.


文章来源: https://infosecwriteups.com/zip-slip-vulnerability-064d46ca42e5?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh