Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

poison null byte


ghost's Avatar
0 0

i am really getting mad about how to use this attack. i tried my best but was not able to view the source code in which php or asp or jsp was there it was only showing html code.

i tried all the combinations but was unable to use it please help me with it…:)


ghost's Avatar
0 0

Hi, Firstly where you talking about the basic web hacking mission? Perhaps you should have posted this thread in the correct forum…

I also had trouble with this. Read the article on Wikipedia about the poison null byte, as it gave me the best information on it. Otherwise you can PM me what your specific questions are and where you are stuck.


Uber0n's Avatar
Member
0 0

If you mean that you're targeting a website (or preferraböy your own server), then you must understand that it won't work unless the target is vulnerable.

This should be pretty obvious though :p


ghost's Avatar
0 0

Is there any chance that someone who is proficient at PHP would post an example of a script that is vulnerable to the poison null byte attack?


ghost's Avatar
0 0
<?php
include($_GET['page'].".php");
?>

There you go…LFI vulnerability that would be exploited based on using a null byte.


ghost's Avatar
0 0

Dude poison null byte is really easy and fun. My college is extremly vulnerable to this. I am not going to tell you what school I go to, but you'll know when you find a site vulnerable to poison null byte. I sware. My school has been more vulnerable to this attack beyond my imagination. It seriosly devistated my college. No joke. PM if you want.


ghost's Avatar
0 0

skathgh420 wrote: My college is extremly vulnerable to this. I am not going to tell you what school I go to…

skathgh420 wrote: It seriosly devistated my college. No joke. PM if you want.

Am I the only one that read the post this way?


ghost's Avatar
0 0

Zephyr_Pure wrote: [quote]skathgh420 wrote: My college is extremly vulnerable to this. I am not going to tell you what school I go to…

skathgh420 wrote: It seriosly devistated my college. No joke. PM if you want.

Am I the only one that read the post this way?[/quote]

If you are implying that I did it you are soooo off track. I know what happend to that particular college that I go to. I also have a good understanding of what/how they did it. If he wants to PM about poison null byte he can. Thats all. I am no expert about it but I know how It's done. Thats all. :D


spyware's Avatar
Banned
0 0

Zephyr_Pure wrote: Am I the only one that read the post this way?

No. There's also the other Zephyr_Pure's in endless alternative dimensions in which you happened to read this.

Oh, and I found it a bit weird too, yeah. I guess the cost of privacy is one pm now. Good thing my inbox is full.


ghost's Avatar
0 0

skathgh420 wrote: My college is extremly vulnerable to this. I am not going to tell you what school I go to…

skathgh420 wrote: It seriosly devistated my college. No joke. PM if you want.

skathgh420 wrote: If you are implying that I did it you are soooo off track. That wasn't what I was implying… as shown above again. Anyways, this topic is pretty much done; researching "poison null byte" will teach him how to do it, and vulnerable code has already been demonstrated. Nice of you to offer the PM option, though.

spyware wrote: No. There's also the other Zephyr_Pure's in endless alternative dimensions in which you happened to read this.

I definitely gotta meet those guys! They must be so cool!


ghost's Avatar
0 0

hacker2k wrote:

<?php
include($_GET['page'].".php");
?>

There you go…LFI vulnerability that would be exploited based on using a null byte.

Okay. I wanted to test this out on my own server, so I made this.

No matter what I try, I cannot view the source of PNB.php

Am I doing the attack wrong? (I'm looking for the right word for 'doing' the attack, but can't find it…) Or is it that the attack does more than just let the attacker view the source, and this is one of those cases?


ghost's Avatar
0 0

s3klyma wrote: No matter what I try, I cannot view the source of PNB.php Or is it that the attack does more than just let the attacker view the source, and this is one of those cases? You're including the PHP file… when that is done, the PHP source is interpreted prior to the page becoming viewable (i.e., HTML sent to the browser). I'm sure others will come up with more / better uses for poison null byte attacks, but an example is using a vulnerable include field to bypass .htaccess restrictions. The only way I could see the PHP source being viewable is if you exploit a script that can echo the source or if you can breach the server admin account.


ghost's Avatar
0 0

Zephyr_Pure wrote: [quote]s3klyma wrote: No matter what I try, I cannot view the source of PNB.php Or is it that the attack does more than just let the attacker view the source, and this is one of those cases? You're including the PHP file… when that is done, the PHP source is interpreted prior to the page becoming viewable (i.e., HTML sent to the browser). I'm sure others will come up with more / better uses for poison null byte attacks, but an example is using a vulnerable include field to bypass .htaccess restrictions. The only way I could see the PHP source being viewable is if you exploit a script that can echo the source or if you can breach the server admin account.[/quote]

Although I've never heard of such an attack, is it possible to open the page such that the server interprets it as a different type of file?

For example opening http://seklym4.t35.com/PNB.php as an HTML or txt file


ghost's Avatar
0 0

–Double post–


ghost's Avatar
0 0

Triple post!! SHIT!!


yours31f's Avatar
Retired
10 0

Do you use anything like firebug, greasemonkey, or any other editing add on? is so, disable them.

and as for all the post, go in and edit them… and make sure to click the box that says, Delete this post.


ghost's Avatar
0 0

s3klyma wrote: Although I've never heard of such an attack, is it possible to open the page such that the server interprets it as a different type of file?

You would have to change the Content-Type and Content-Disposition headers when loading the file to interpret it as a different type. It might be possible to do this effectively with cURL, but I've never tried.

For example opening http://seklym4.t35.com/PNB.php as an HTML or txt file

You would have to change the file type before the PHP is rendered server-side. … That's not going to happen.


hawkster's Avatar
Member
0 0

Looking at the source code for the page you set up, the Poison NULL Byte attack isn't going to work anyway. The string has to be terminated with a null, though in the source the null comes right before the file extension.

If we put in "that" in your search box, the query will become (in a shortened version):

?answer=that

This becomes a problem since the ".php" extension is added after the query string is passed, so anything added to the text box will be placed before the ".php" extension. Trying to do the NULL byte attack would come out like this if we entered "that%00" in the textbox:

?answer=that%00

which would then be translated into the page "that%00.php" (a page that doesn't exist) when what you would really want for the attack would be "that.php%00" (the Poison NULL Byte attack itself).

The NULL byte has to come at the end and not in the middle :)

You have to fix the portion of the PHP code which gets the "answer" parameter so it doesn't add the ".php" extension to the end but forces the user to do it himself. Then, the attack should work since the null byte will be processed after the extension, though I can't say completely because I don't know if there is other code affecting the processing of the input. This also assumes the server is vulnerable; if it isn't, you're kind of shit-out-of-luck :D

~Hawk


ghost's Avatar
0 0

The null byte aims to terminate the string prematurely (thus bypassing the default extension added). More info on the Poison Null Byte: http://insecure.org/news/P55-07.txt

So, basically, you bumped a week-old thread to be wrong? :P


hawkster's Avatar
Member
0 0

Zephyr_Pure wrote: The null byte aims to terminate the string prematurely (thus bypassing the default extension added). More info on the Poison Null Byte: http://insecure.org/news/P55-07.txt

So, basically, you bumped a week-old thread to be wrong? :P

Hey, any jackass can bump a week-old thread to be right. :P

It takes a special jackass to bump a week-old thread to be wrong ;)

~Hawk