Slippery Upload — 247CTF

Website
vulnerable code

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution.

Normally, the uploaded zip file will be extracted to ‘UPLOAD_FOLDER’, which is “/tmp/uploads”. But what if the zip file’s name is “../../evil.sh”? -> The ‘evil.sh’ will be extracted to ‘/’ directory (as we move up 2 level).

create Zip script
upload the zip file
Reload the webpage
src_new.py
Reload the webpage
SSTI
“id” executed
ls
cat the flag

HAPPY HACKING

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store