Q: During a penetration test, you find a function that only allows ZIP file uploads. What are some possible approaches?
A: Several approaches can be explored when only ZIP uploads are allowed:
- Try to bypass the extension check to upload other file types (e.g.,
.asp,.php,.exe). - Compress a malicious PHP file into a ZIP archive and upload it.
- Attempt to modify the ZIP's internal structure to execute code when extracted.
- Use a ZIP file as a carrier to inject a web shell.
- Try to upload a password-protected ZIP file to hide the malicious payload.
- Analyse the ZIP's file information to find hidden malicious code.
- Upload the ZIP and try to access its contents directly via the server.
- Search for vulnerabilities in how the application processes ZIP files.
- Extract hidden code from within the ZIP file.
- Check if there are any restrictions on file size.
- Attempt to use the ZIP file's properties to cause a DoS (Denial of Service) attack.
- Perform reverse engineering on the ZIP file's structure.
- Attempt a "magic box" attack where a ZIP is uploaded and later modified.