π οΈ Null-byte injection β
Theory β
Null byte is a bypass technique for sending data that would be filtered otherwise. It relies on injecting the null byte characters (%00, \x00) in the supplied data. Its role is to terminate a string.
Practice β
File access restriction by extension β
Accessing a file in an application that appends an extension.
Example:
- An attacker wants to retrieve the file
/etc/passwdbut an extension.phpis appended automatically such as/etc/passwd.php. - The attacker uses the null byte to terminate the string and throw away the
.phpextension:/etc/passwd%00
File upload restriction by extension β
Uploading a file that is filtered by its extension.
Example:
- An attacker wants to upload a
malicious.php, but the only extension allowed is.pdf. - The attacker constructs the file name such as
malicious.php%00.pdfand uploads the file. - The application reads the
.pdfextension, validate the upload, and later throws the end of the string due to the null byte. - The file
malicious.phpis then put in the server.