> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/trick-0175.md).

# Zip Upload Symlink LFI

***

This technique involves creating a symbolic link within a zip archive. This is a variant of zip-based exploits, sometimes referred to as a ZipSlip Symlink variant or Symlink Sabotage, which can allow attackers to read arbitrary files on the target system. This method is often associated with Local File Inclusion (LFI) vulnerabilities.

To perform this attack, create a symbolic link on your local system pointing to the target file you want to read on the server. Name this symlink as if it were a valid file type the application expects (e.g., `test.pdf` if PDFs are accepted).

```bash
ln -s /path/to/target/file test.pdf
```

Then, create a zip archive containing this symlink, ensuring symlinks are preserved during zipping.

```bash
zip -r --symlinks exploit.zip test.pdf
```

Upload `exploit.zip` to the target application. If the server extracts the archive and preserves the symlink, you can then access the extracted symlink file via the web server. This will cause the server to read and return the content of the file pointed to by the symlink (e.g., `/path/to/target/file`). The extraction directory path needs to be known.

```bash
curl http://target/uploads/.../test.pdf
```

Common targets include `/etc/passwd`, `/etc/apache2/sites-available/000-default.conf`, `/var/www/html/shop/index.php`.
