Bypassing PHP Null Byte Injection protections


August 15, 2016

Overview

The Null Byte Injection is pretty old vulnerability. As an example, this post from 1996(!) describes the same problem affecting CGI scripts. Yet, this vulnerability still bites now and then.

PHP suffered from this issue for quite a long time and was not fixed until late December 2010 when the final fix was implemented in version 5.3.4.

All is not lost and there are some other tricks out there which allows you to overcome this fix and still exploit Local File Include (LFI) vulnerabilities. For this reason, we thought it would be beneficial for  the community to come up with a CTF challenge followed by a write-up on the tricks which are not entirely spread out on the Interwebs.

My friend and Securus Global co-worker Márcio challenged me to try the CTF challenge that he came up with recently. The challenge aims to present a not widely known technique used to bypass some common file upload restrictions imposed on PHP applications. Restrictions, that prevent unauthorized upload of files to the web server using web application.

Here is the link to the challenge: http://198.199.84.56

I’ll spoil the fun a little bit and tempt you to try it out: The challenge is all about cute Pandas. ☺

Enjoy!

One thought on “Bypassing PHP Null Byte Injection protections

  1. S.

    I’m not saying your friend Márcio haven’t accidentally came up with the idea, but mentioned challenge was present (actually in even a bit harder version) on Plaid CTF 2016 (in mid April).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *