I recently read a nice article on InfoSec Institute (again) about Null byte injection. However I met some problems to make it works in a real situation so I decided to write my own.
First of all, this vulnerability has been fully patched in PHP 5.3.4 (until someone else find another buggy function…), that means you need to install an old version of PHP.
Grab it in PHP releases archive.
After compiled and configured, it’s very important to set magic_quotes_gpc=Off in the
php.ini (it won’t work with
ini_set in the script itself).
Then imagine an
index.php like this:
<?php include( '/var/www/pages/'.$_GET['p'].'.php' ); ?>
/pages/store.php like this:
<?php echo 'This is the store !'; ?>
If you call it directly it will works but in that case
index.php is usually used to display common stuffs like header and footer.