OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Example
  • Null Byte
  1. Web / HTTP
  2. LFI and RFI

Null Byte Injection

  • Useful in case where php adding extension at the end of file name

  • In some specific cases you need to add a null byte terminator to the LFI/RFI vulnerable parameter. A Null byte is a byte with the value zero (%00 or 0x00 in hex) and represents a string termination point or delimiter character. Adding a null byte to a payload can alternate intended program logic as it immediately stops the string from further processing any bytes after the null byte. This means that any bytes after the null byte delimiter will be ignored.

Example

Let's consider following code:

$file = $_GET['page']; 
require_once("/var/www/$file.php");

Now if we inject /etc/passwd in it , it will look something like this -

passwd = $_GET['page']; 
require_once("/var/www/../../../etc/passwd.php");

In this case we cannot conduct File Inclusion with the passwd file because the second line appends a PHP extension to the file name and effectively converts the passwd file to passwd.php which would result in a ‘file not found error’. In such a case, we can add a null byte to the passwd file name to terminate the string at the null byte and discard the ‘.php’ extension.

Null Byte

http://website/page=../../../etc/passwd%00

http://example.com/page=../../../../../../etc/passwd?

/etc/passwd%00jpg
PreviousInteresting Files for LFINextPHP Wrappers

Last updated 3 years ago