snyk / zip-slip-vulnerability

Zip Slip Vulnerability (Arbitrary file write through archive extraction)
https://snyk.io/research/zip-slip-vulnerability
741 stars 112 forks source link

how to add ../ in tar file #42

Open mikelueng opened 3 years ago

mikelueng commented 3 years ago

hi, would you tell me the way how to add ../ in tar file.

ggkitsas commented 3 years ago

metasploit has a module

or you could script it yourself, here's a starting point: https://github.com/jwilk/traversal-archives/blob/master/tar/Makefile

mikelueng commented 3 years ago

thank you so much.

mikelueng commented 3 years ago

when I use zip_slip module in metasploit, it seems that I can just use the payload msf provided, but can't specify the content of the compressed file. If I want to exploit the Zip_Slip_Vulnerability to override /ect/crontab with correct format , how could I do for this ?

mikelueng commented 3 years ago

finally, I find the way to override etc/crontab: 1)mkdir etc in the path: ~/mike/java/yasuo/abc/, then write crontab in the folder "etc" we just mkdir. 2)root@kali:~/mike/java/yasuo/abc/11/22/33# tar cPvf cron.tar ../../../etc/crontab bingo, get cron.tar include ../../../etc/crontab