Null Byte Injection

以前不知道，记下来。

Perl PHP Null Byte Injection

rain.forest.puppy outlined in Phrack issue 55 the uses of NUL Byte Injection within Perl, and how these could be exploited. The results were very similar in PHP.

An example of a NULL byte vulnerable PHP script is as follows:

$file = $_GET['file'];
require_once("/var/www/$file.php");

While the above script appears to be secured by forcing the ".php" file extension, it could be exploited as follows: http://www.example.com/index.php?file=../../etc/passwd%00

The above NULL byte injection would result in the mandatory appended file extension (.php) to be dropped, and the /etc/passwd file to be loaded.

Perl PHP Null Byte Injection

rain.forest.puppy outlined in Phrack issue 55 the uses of NUL Byte Injection within Perl, and how these could be exploited. The results were very similar in PHP.

An example of a NULL byte vulnerable PHP script is as follows:

$file = $_GET['file'];
require_once("/var/www/$file.php");

While the above script appears to be secured by forcing the ".php" file extension, it could be exploited as follows: http://www.example.com/index.php?file=../../etc/passwd%00

The above NULL byte injection would result in the mandatory appended file extension (.php) to be dropped, and the /etc/passwd file to be loaded.