The null byte to hack includes
The null byte (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets. Strings end if there is a null character.
In PHP this character looks like this %00.
Ok whats the deal with null bytes?
A lot of people think that this method below, to include a file which has a fix extension (.php), is a bullet prof one, but that’s not true.
<?php
include ($_GET['site'].”.php”);
?>
include ($_GET['site'].”.php”);
?>
If you call the script with a null byte in the URL it’s possible to include any local or remote site!
http://example.com/?site=../../../../etc/passwd%00
Hello,
anyone can give me an example of when you’d include a file provided by the user? I can’t think of any application that would include($user_input); that’s not safe at all, is it?
Why would one do that?
Hi jcavard,
That’s the point never trust any user input; but there are tons of sites, scripts, code and plugins which doesn’t care about it.
I think this programmers don’t think or don’t know it.
Take a look at this link there you can find enough applications
http://milw0rm.com/search.php?dong=file%20inclusion
Who said that is bullet proof even if you don’t use null byte injection? What’s stopping me from referencing a php on my site? You if think it’s the fact that it will get executed on my server rather then you are double wrong. What’s stopping me to mess with my server to see php files just like txt files? Hell I don’t need to mess with anything…just install a default IIS that doesn’t know about php. Either that or I put one line of code in my .htaccess to redirect the php to a txt file.
Including files given by a variable is plain dumb…no matter how you look at it.