Skip to content

Payloads All The Things

Zip Slip

Payloads All The Things

Payloads All The Things
CONTRIBUTING
API Key Leaks
API Key Leaks
- API Key and Token Leaks
- IIS Machine Keys
Account Takeover
Account Takeover
- Account Takeover
- MFA Bypasses
Business Logic Errors
Business Logic Errors
- Business Logic Errors
CORS Misconfiguration
CORS Misconfiguration
- CORS Misconfiguration
CRLF Injection
CRLF Injection
- Carriage Return Line Feed
CSV Injection
CSV Injection
- CSV Injection
CVE Exploits
CVE Exploits
- Common Vulnerabilities and Exposures
- CVE-2021-44228 Log4Shell
Clickjacking
Clickjacking
- Clickjacking
Client Side Path Traversal
Client Side Path Traversal
- Client Side Path Traversal
Command Injection
Command Injection
- Command Injection
Cross Site Request Forgery
Cross Site Request Forgery
- Cross-Site Request Forgery
DNS Rebinding
DNS Rebinding
- DNS Rebinding
DOM Clobbering
DOM Clobbering
- DOM Clobbering
Denial of Service
Denial of Service
- Denial of Service
Dependency Confusion
Dependency Confusion
- Dependency Confusion
Directory Traversal
Directory Traversal
- Directory Traversal
File Inclusion
File Inclusion
- File Inclusion
Google Web Toolkit
Google Web Toolkit
- Google Web Toolkit
GraphQL Injection
GraphQL Injection
- GraphQL Injection
HTTP Parameter Pollution
HTTP Parameter Pollution
- HTTP Parameter Pollution
Headless Browser
Headless Browser
- Headless Browser
Hidden Parameters
Hidden Parameters
- HTTP Hidden Parameters
Insecure Deserialization
Insecure Deserialization
Insecure Direct Object References
Insecure Direct Object References
- Insecure Direct Object References
Insecure Management Interface
Insecure Management Interface
- Insecure Management Interface
Insecure Randomness
Insecure Randomness
- Insecure Randomness
Insecure Source Code Management
Insecure Source Code Management
JSON Web Token
JSON Web Token
- JWT - JSON Web Token
Java RMI
Java RMI
- Java RMI
LDAP Injection
LDAP Injection
- LDAP Injection
LaTeX Injection
LaTeX Injection
- LaTeX Injection
Mass Assignment
Mass Assignment
- Mass Assignment
Methodology and Resources
Methodology and Resources
NoSQL Injection
NoSQL Injection
- NoSQL Injection
OAuth Misconfiguration
OAuth Misconfiguration
- OAuth Misconfiguration
ORM Leak
ORM Leak
- ORM Leak
Open Redirect
Open Redirect
- Open URL Redirection
Prompt Injection
Prompt Injection
- Prompt Injection
Prototype Pollution
Prototype Pollution
- Prototype Pollution
Race Condition
Race Condition
- Race Condition
Regular Expression
Regular Expression
- Regular Expression
Request Smuggling
Request Smuggling
- Request Smuggling
SAML Injection
SAML Injection
- SAML Injection
SQL Injection
SQL Injection
Server Side Include Injection
Server Side Include Injection
- Server Side Include Injection
Server Side Request Forgery
Server Side Request Forgery
- Server-Side Request Forgery
Server Side Template Injection
Server Side Template Injection
Tabnabbing
Tabnabbing
- Tabnabbing
Type Juggling
Type Juggling
- Type Juggling
Upload Insecure Files
Upload Insecure Files
- Upload Insecure Files
- Configuration Apache .htaccess
  Configuration Apache .htaccess
  - .htaccess
Web Cache Deception
Web Cache Deception
- Web Cache Deception
Web Sockets
Web Sockets
- Web Sockets
XPATH Injection
XPATH Injection
- XPATH Injection
XSLT Injection
XSLT Injection
- XSLT Injection
XSS Injection
XSS Injection
XXE Injection
XXE Injection
- XML External Entity
Zip Slip
Zip Slip
- Zip Slip Zip Slip
  Table of contents
LEARNING AND SOCIALS
LEARNING AND SOCIALS
- Books
- Twitter
- Youtube
template vuln
template vuln
- Vulnerability Title

Zip Slip

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Summary

Tools
Methodology
- Detection
- Basic Exploit
Additional Notes

Tools

ptoomey3/evilarc - Create tar/zip archives that can exploit directory traversal vulnerabilities
usdAG/slipit - Utility for creating ZipSlip archives

Methodology

Detection

Any ZIP upload page on the application.

Basic Exploit

Using ptoomey3/evilarc:

python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15

Creating a ZIP archive containing a symbolic link:

ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt

Additional Notes

For affected libraries and projects, visit snyk/zip-slip-vulnerability

References