phpBB Academy at StarTrekGuide

[Techie-Micheal]

Spoiler:

%00 is what is called the null byte. Injection of the null byte is often called a poison null byte. Another, better explanation can be found here: http://www.hakipedia.com/index.php/Pois ... _Injection

If you do not wish to visit the above, or simply want me to explain more, here you go.

%00 is essentially a terminator, it stops anything else from being done, such as comparisons or file inclusions, and "poisons" the application, causing it to behave in unexpected ways.

Here is another example, taken from hakipedia:

Code: Select all

$file = $_GET['file'];
require_once("/var/www/$file.php");

Calling the URI "www.example.com/file.php?file=../../../../../etc/passwd%00" would terminate the string, and the .php would not be appended as would be expected.

Because the .php is not appended, the /etc/passwd file, a rather important file on *nix systems, gets included for easy viewing of the attacker.

[Erik Frèrejean]

Spoiler:

Ah I see and understand the theory, but I can't exploit this on my local system. The null byte gets escaped which results in a file named: /usr/bin\0 and that file doesn't exist thus it doesn't print it.
Is this an exploit that only works in specific browsers *cough*IE*cough*? Both WebKit and FireFox just escape it terminating the vulnerability.

[Techie-Micheal]

Spoiler:

Ah I see and understand the theory, but I can't exploit this on my local system. The null byte gets escaped which results in a file named: /usr/bin\0 and that file doesn't exist thus it doesn't print it.
Is this an exploit that only works in specific browsers *cough*IE*cough*? Both WebKit and FireFox just escape it terminating the vulnerability.

Spoiler:

It works fine for me in Firefox. How are you putting it in? Also, what version of PHP do you have? I found that some versions of PHP don't do this (though I haven't been able to figure out what or why). If you want, I can PM you the URL to my server so you can play, as it works well there.

file_exists.php?file=/usr/bin%00 works on my server. If you are putting in file_exists.php?file=/usr/bin\0, that won't work as you have to URL encode it, which is the %00.

[Erik Frèrejean]

Spoiler:

Ah I see and understand the theory, but I can't exploit this on my local system. The null byte gets escaped which results in a file named: /usr/bin\0 and that file doesn't exist thus it doesn't print it.
Is this an exploit that only works in specific browsers *cough*IE*cough*? Both WebKit and FireFox just escape it terminating the vulnerability.

Spoiler:

It works fine for me in Firefox. How are you putting it in? Also, what version of PHP do you have? I found that some versions of PHP don't do this (though I haven't been able to figure out what or why). If you want, I can PM you the URL to my server so you can play, as it works well there.

file_exists.php?file=/usr/bin%00 works on my server. If you are putting in file_exists.php?file=/usr/bin\0, that won't work as you have to URL encode it, which is the %00.

Spoiler:

Ah I see. It didn't work on my localhost (MAMP -> php 5.2.5). On my Debian VPS with php 5.2.6 it does work.

[Highway of Life]

Spoiler:

@Erik: Francis attempted it on the STG server, our VPS (running PHP 4.3.x?) and on his localhost -- MAMP PHP 5.2.6, he couldn?t get any of them to work. I should note that the PHP installation on his localhost and the STG server is identical.

[eviL3 Igor]

Spoiler:

/etc/passwd is unix/linux specific.

[Erik Frèrejean]

Spoiler:

/etc/passwd is unix/linux specific.

Spoiler:

True, but I didn't work at all. No matter what file I used

[TerraFrost]

Spoiler:

magic_quotes_gpc is why this doesn't work on select servers. It turns "\0" into "\\0" which means that no null byte is being injected. I thought I elaborated on this in Injection Vulnerabilities, but it looks like I have a small typo in that... a typo that's just been fixed

[Erik Frèrejean]

Spoiler:

Ah I see. Thanks for that explanation Jim

[onehundredandtwo]

I tried it on localhost and on a linux server and I couldn't get it to work. I suppose that's a good thing in a way.

EDIT: never mind, disabled magic_quotes_gpc and it works.