Poison NULL byte in Basic23

i was reading on the RFI post and the include syntax reminded me of the poison NULL byte thing. Anyways i have a question for anyone who is good with this exploit, why cant you use it in Basic 23 where it says show.php?page=

couldnt you plugin show.php%00 where %00 escapes and get the entire php source code???

You may wanna check this thread:http://www.hellboundhackers.org/forum/poison_null_protection-59-12852_0.html#110897

Also now I'm just guessing, but again as the challenge is hardcoded and you don't actually include the remote file, you won't be able to null byte poison it for same reason…

but on a site with RFI it would work??

yeah It should return the source of the page…

But don't forget filters etc. which may in many times prevent the poisoning

then why wont it work in real 11 when i try to use the page include from the why firm page to access /clients/login.php%00

DeafCode wrote: then why wont it work in real 11 when i try to use the page include from the why firm page to access /clients/login.php%00

you should have checked the url I gave you, here is the answer:

Mr_Cheese wrote: a switch is deffinatly the way to go about it ( preventing the null byte poisoning ).

it's a long winded way of doing things, but by far the most secure.

example:

switch($_GET['page']){

case 'home':
  include "home.php";
break;

case 'contact':
 include "contact.php";
break;

default:
 include "home.php";

}```