Null Byte Injection

I recently read a nice article on InfoSec Institute (again) about Null byte injection. However I met some problems to make it works in a real situation so I decided to write my own.

First of all, this vulnerability has been fully patched in PHP 5.3.4 (until someone else find another buggy function…), that means you need to install an old version of PHP. Grab it in PHP releases archive. After compiled and configured, it’s very important to set magic_quotes_gpc=Off in the php.ini (it won’t work with ini_set in the script itself).

Then imagine an index.php like this:

<?php
include( '/var/www/pages/'.$_GET['p'].'.php' );
?>

And a /pages/store.php like this:

<?php
echo 'This is the store !';
?>

If you call it directly it will works but in that case index.php is usually used to display common stuffs like header and footer. So the basic use is:

Null Byte Injection

Since index.php already concatenate .php with the p parameter, you’ll get that kind of error if you set it manually:

Null Byte Injection

Notice the double extension .php.php, that means the site might be vulnerable.  An easy tool to determine the PHP version of your target is a browser extension like Wappalyzer  for Firefox/Iceweasel or Chrome.

The next step is to add the null byte:

Null Byte Injection

Because we got the same result as the “normal” usage, now that’s sure, the target is vulnerable! You can inject everything. Of course the goal of this attack is to retrieve sensitive files:

Null Byte Injection

Keep in mind that the path of the required file must be relative of the current script (index.php in my case) otherwise it will throw an error as a file not found:

Null Byte Injection

Here is the error you’ll get if you fight against a patched PHP:

Null Byte Injection

And the error you’ll get if magic_quotes_gpc is enable:

Null Byte Injection

Kick the bucket

I already wrote [a post about Amazon S3 buckets](/playing-with-s3-buckets/) but they became so popular these last weeks that many people...… Continue reading

« Exploit Exercices, Nebula - level00

Published on January 13, 2015

Resources »

Published on December 29, 2014