Null Byte Injection
I recently read a nice article on InfoSec Institute (again) about Null byte injection. However I met some problems to make it works in a real situation so I decided to write my own.
First of all, this vulnerability has been fully patched in PHP 5.3.4 (until someone else find another buggy function…), that means you need to install an old version of PHP.
Grab it in PHP releases archive.
After compiled and configured, it’s very important to set magic_quotes_gpc=Off in the php.ini (it won’t work with ini_set in the script itself).
Then imagine an index.php like this:
<?php
include( '/var/www/pages/'.$_GET['p'].'.php' );
?>
And a /pages/store.php like this:
<?php
echo 'This is the store !';
?>
If you call it directly it will works but in that case index.php is usually used to display common stuffs like header and footer.
So the basic use is:
Since index.php already concatenate .php with the p parameter, you’ll get that kind of error if you set it manually:
Notice the double extension .php.php, that means the site might be vulnerable.
An easy tool to determine the PHP version of your target is a browser extension like Wappalyzer
for Firefox/Iceweasel
or Chrome.
The next step is to add the null byte:
Because we got the same result as the “normal” usage, now that’s sure, the target is vulnerable! You can inject everything. Of course the goal of this attack is to retrieve sensitive files:
Keep in mind that the path of the required file must be relative of the current script (index.php in my case) otherwise it will throw an error as a file not found:
Here is the error you’ll get if you fight against a patched PHP:
And the error you’ll get if magic_quotes_gpc is enable:
