9

Is it possible to perform null byte injection on PHP code? And, how would vulnerable code look like? Could you give me some examples, as I noticed that:

<?php

echo $_GET['get'];

Will not make code vulnerable. I want to know, what are possible security flaws in code that can cause this kind of vulnerability, if possible. Any example would be appreciated and useful.

Anders
  • 64,406
  • 24
  • 178
  • 215
black_hat_cat
  • 91
  • 1
  • 1
  • 3
  • 1
    http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection – elsadek Jan 06 '14 at 22:55
  • hey thanks for your example. but i am still confused, as in used example on that page, i was able to load file /root/Desktop/demo-password.fl but when i putt %00 on the end of url i get error. what is point of using null byte if i was able to access files without it, and got error with using it. sorry i am just to confused, any idea? – black_hat_cat Jan 06 '14 at 23:49
  • https://research.g0blin.co.uk/php-and-curl-and-null-bytes-oh-my/ – bishop Mar 17 '16 at 14:44

2 Answers2

9

Null byte injection in PHP concerns how null bytes are handled in filesystem operations. If an attacker can inject a null byte into a filepath, the underlying C function will disregard anything after the malicious character. This can be used in order to bypass constraints such as the intended file's extension.

The following example is from php.net:

<?php
$file = $_GET['file']; // "../../etc/passwd\0"
if (file_exists('/home/wwwrun/'.$file.'.php')) {
    // file_exists will return true as the file /home/wwwrun/../../etc/passwd exists
    include '/home/wwwrun/'.$file.'.php';
    // the file /etc/passwd will be included
}
?>

http://www.php.net/manual/en/security.filesystem.nullbytes.php

In this case, the '.php' extension will be ignored during file operations if the user submits a null character at the end of the file parameter. Combined with a directory traversal string, it allows the attacker to "include" arbitrary files that will be disclosed.

itscooper
  • 2,230
  • 13
  • 15
3

This information is only relevant for older (unsupported) versions of PHP.

Null byte injection has been fixed in PHP 5.3.4 (which it's self is already an old and unsupported PHP version): https://bugs.php.net/bug.php?id=39863.

Boy Baukema
  • 130
  • 1
  • 8
  • 3
    It was fixed for a limited subset of functions. The vulnerability in `(include/require)(_once)` persisted. On some instances, when `magic_quotes_gpc` is enabled, the null-byte is escaped and that induce the idea of it being fixed. – FanaticD Feb 26 '18 at 06:20