Hi ya guys,
Have you ever heard of "null byte" poison? Well if not... read on...
How to create a null byte
Hold down Ctrl + Shift and press the key with the @ symbol on it. In notepad++ for example it creates a little box with the word "nul" in it. That is a null byte.
What is a null byte
It's the first character in the ascii table i.e. 0 or chr(0) for example would return a null byte (in php).
Practical Purpose
A null byte in many languages is used to detect the end of a string. As opposed to storing an integer value in the first byte or two of the string stating the total length. A null byte on the other hand would just be placed at the end of the string... in just a single byte (saving space and does not need to keep count of the total characters in a string).
PHP, C, and many other languages use null bytes to indicate the end of a string.
So whats "null byte" poison?
It's when someone enters a string and places a null byte somewhere in it. This then chops off the text at the end of the string making it invisible to string manipulation functions... however it is still there in the processing stage! Sorry if that don't make much sense... so i did an example to help you understand...
Example of a null byte attach in PHP
For the sake of this example... pretend the # is a "Null Byte".
For this example pretend someone has uploaded a file that contains PHP code to delete a website! The filename is all that interests us here. The filename has been specifically crafted to contain null byte poison:
Name: delete.zip#.php
Then there is some code that checks the extension of the uploaded file to see if it is allowed to be uploaded. The function that checks the extension however only sees "delete.zip"!!! Because the function saw the null byte after .zip it cuts off processing the rest of the name. And so the extension return for that would be ".zip" instead of ".php".
Now this is where the problem is... because it saw .zip it allows the file to be uploaded and converted to the file system... however when saved on the file system on the server... the null byte is ignored and it is saved as: delete.zip.php
If the file is saved in a public php executable directory... the user only has to access the file via the web browser to execute the PHP contained in the script!
Thats generally how "Null Byte" poison works.
How do i protect against it
By simply replacing the null byte inside the string... with nothing! Here is an example in PHP:
$filename = str_replace(chr(0), '', $string);
Select what you want to copy and in doing so you will keep the formatting when pasting it. |
And it will just leave the last null byte on the end of the variable to keep it functioning properly
Kind regards,
Scott
