{"id":508,"date":"2025-09-12T12:15:41","date_gmt":"2025-09-12T10:15:41","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=508"},"modified":"2025-11-04T06:20:26","modified_gmt":"2025-11-04T05:20:26","slug":"how-two-dollars-and-one-zip-file-let-me-read-the-server-files","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/","title":{"rendered":"How two dollars and one zip file let me read the server files"},"content":{"rendered":"<p>Hi there<\/p>\n<p>There was an app which allowed me to buy domains and offered different types of hosting. First I was testing the free features of the app and found really cool XSS bug but it is the different story :). Then I decided to invest some money and bought the domain, let&#8217;s call it mynewshinydomain.com, which costed me about 2 dollars. I took this financial risk \ud83d\ude42<\/p>\n<p>Once I bought it, I immediately gained access to tons of new features. And one of them was feature where I could upload or create files and dirs via web interface. I could only host static files such as .css, .html, .js, .txt, no scripts. But this isn&#8217;t important. There was also the option to upload the zip file, which later was extracted into the root of my site. As I am familiar with basic zip attacks such as zip-slip attack nad symlink attack, I tried both of them, but only the second one worked.<\/p>\n<h3>The zip symlink attack<\/h3>\n<p>In this attack we must zip the file which is symbolic link. The symbolic link is a kind of shortcut, it points to another file on file system. I created the test.txt file pointing to \/etc\/passwd\u00a0 on my system in WSL shell:<\/p>\n<blockquote><p>$\u00a0 ln -s \/etc\/passwd test.txt<\/p><\/blockquote>\n<p>Then I zipped the file into test.zip<\/p>\n<blockquote><p>$ zip &#8211;symlinks test.zip test.txt<\/p><\/blockquote>\n<p>Note the &#8211;symlinks option to preserve the symlinks. I uploaded the file , I saw no errors, so I entered this url:<\/p>\n<blockquote><p>https:\/\/mynewshinydomain.com\/test.txt<\/p><\/blockquote>\n<p>Wait, what? I could not believe I saw the content of \/etc\/passwd from the server. It worked just like this, no filters. So I obtained arbitrary file read, I could read files on server where web user has access to.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-510\" src=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\" alt=\"\" width=\"502\" height=\"119\" srcset=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png 502w, https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd-300x71.png 300w\" sizes=\"auto, (max-width: 502px) 100vw, 502px\" \/><\/p>\n<p>I immedietaly reported it as critical finding and after short time I got P1 and some cash :). They introduced the fix which I tried to bypass with binary editing of zip file but failed :\/. My mistake was to report it right away, because I could maybe read some source code of an app and this way was able to find more vulns. On the other hand the attack is not complicated, so I was afraid of being duplicated and the emotions took over.<\/p>\n<h3>The final notes<\/h3>\n<ol>\n<li>Sometimes it pays off to spend some money which gives access to more features to test.<\/li>\n<li>Let&#8217;s not assume anything upfront, even the pretty simple\u00a0 attacks might still work.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>Impact: High<br \/>\nReward: $750<\/p>\n<p>See you next bug<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi there There was an app which allowed me to buy domains and offered different types of hosting. First I was testing the free features of the app and found really cool XSS bug but it is the different story :). Then I decided to invest some money and bought the domain, let&#8217;s call it&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29,47],"tags":[],"class_list":["post-508","post","type-post","status-publish","format-standard","hentry","category-write-up","category-zip-symlink"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"Hi there There was an app which allowed me to buy domains and offered different types of hosting. First I was testing the free features of the app and found really cool XSS bug but it is the different story :). Then I decided to invest some money and bought the domain, let&#8217;s call it...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee&#039;s Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-12T10:15:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-04T05:20:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\" \/>\n\t<meta property=\"og:image:width\" content=\"502\" \/>\n\t<meta property=\"og:image:height\" content=\"119\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"How two dollars and one zip file let me read the server files\",\"datePublished\":\"2025-09-12T10:15:41+00:00\",\"dateModified\":\"2025-11-04T05:20:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\"},\"wordCount\":435,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"articleSection\":[\"write-up\",\"zip symlink\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\",\"url\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\",\"name\":\"How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"datePublished\":\"2025-09-12T10:15:41+00:00\",\"dateModified\":\"2025-11-04T05:20:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"width\":502,\"height\":119},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How two dollars and one zip file let me read the server files\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee&#039;s Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/","og_locale":"en_US","og_type":"article","og_title":"How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting","og_description":"Hi there There was an app which allowed me to buy domains and offered different types of hosting. First I was testing the free features of the app and found really cool XSS bug but it is the different story :). Then I decided to invest some money and bought the domain, let&#8217;s call it...","og_url":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/","og_site_name":"Bergee&#039;s Stories on Bug Hunting","article_published_time":"2025-09-12T10:15:41+00:00","article_modified_time":"2025-11-04T05:20:26+00:00","og_image":[{"width":502,"height":119,"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","type":"image\/png"}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"How two dollars and one zip file let me read the server files","datePublished":"2025-09-12T10:15:41+00:00","dateModified":"2025-11-04T05:20:26+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/"},"wordCount":435,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","articleSection":["write-up","zip symlink"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/","url":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/","name":"How two dollars and one zip file let me read the server files - Bergee&#039;s Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","datePublished":"2025-09-12T10:15:41+00:00","dateModified":"2025-11-04T05:20:26+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","width":502,"height":119},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/how-two-dollars-and-one-zip-file-let-me-read-the-server-files\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"How two dollars and one zip file let me read the server files"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee&#039;s Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=508"}],"version-history":[{"count":8,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/508\/revisions"}],"predecessor-version":[{"id":538,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/508\/revisions\/538"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}