How Null Byte Injections Work: A History of Our Namesake

In this Null Byte, I'm going to teach you about Null Byte Injections.

Null Bytes are an older exploit. It works by injecting a "Null Character" into a URL to alter string termination and get information or undesirable output (which is desirable for the malicious user).

All languages of the web are exploitable with this if your code isn't sanitizing input -OR- parsing files properly. Null bytes are put in place to terminate strings or be a place holder in code, and injecting these into URLs can cause web applications to not know when to terminate strings and manipulate the applications for purposes such as LFI/RFI (Local and Remote File Inclusion).

A null byte in the URL is represented by '%00' Which in ASCII is a "" (blank space).

I'll be showing you how to use this exploit on some vulnerable php code.

How to Exploit by Example

When running a webpage, the designer may have coded a bit of PHP to fetch images from the server. So let's assume they used this simple snippet of PHP below to load the image called from X webpage.

Here is the PHP code example that we will exploit:

    $file = $_GET['file'];

    require_once("/var/www/images/$file.jpg");

This is what the URL extension would normally look like:

    .php?file=file.jpg

This is calling "file.jpg" from the server and displaying it to the webpage. We would exploit it like so by adding the Null Byte to the end of a local/remote file call:

    .php?file=[file inclusion here]%00 

Example:

    .php?file=../../../../../../etc/passwd%00

Why Does This Happen?

The PHP code above is vulnerable because it's parsing files from the database, and just appending the ".jpg" extension to the end to make them display as picture files.

By injecting a null byte, the extension rule won't be enforced because everything after the null byte will be ignored. You can use this PHP code to fix it, removing NULL characters from a string.

Example PHP code:

    $file = str_replace(chr(0), '', $string);

This attack is mostly deprecated in PHP6, but you might be surprised how many people are still using PHP5.

This attack is also useful on other languages, such as the Perl scripting language.

Here's the Perl counter-part to the example above:

    $buffer = $ENV{'QUERY_STRING'};

    $buffer =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

    $fn = '/home/userx/data/' .$buffer. '.jpg';

    open (FILE,"<$fn");

Here's how it would be exploited:

    read.pl?page=../../../../etc/passwd%00jpg

As you can see, the exploit is pretty uniform in the way it's carried out. I hope this gives you the insight you need on Null Byte Injections.

Discuss or ask questions in the forums!

2 Comments

web servers are interesting creatures

Share Your Thoughts

  • Hot
  • Latest