# Null Byte Injection * **Useful in case where php adding extension at the end of file name** * In some specific cases you need to add a null byte terminator to the LFI/RFI vulnerable parameter. **A Null byte is a byte with the value zero (%00 or 0x00 in hex) and represents a string termination point or delimiter character.** Adding a null byte to a payload can alternate intended program logic as **it immediately stops the string from further processing any bytes after the null byte. This means that any bytes after the null byte delimiter will be ignored.** ## **Example** Let's consider following code: ``` $file = $_GET['page']; require_once("/var/www/$file.php"); ``` Now if we inject /etc/passwd in it , it will look something like this - ``` passwd = $_GET['page']; require_once("/var/www/../../../etc/passwd.php"); ``` In this case **we cannot conduct File Inclusion with the passwd file because the second line appends a PHP extension to the file name and effectively converts the passwd file to passwd.php** which would result in a ‘file not found error’. In such a case, **we can add a null byte to the passwd file name to terminate the string at the null byte and discard the ‘.php’ extension.** ## Null Byte ``` http://website/page=../../../etc/passwd%00 http://example.com/page=../../../../../../etc/passwd? /etc/passwd%00jpg ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/null-byte-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.