Common PHP attacks: Poison Null Byte
Category: Hacking -> Common attacks
What is a null byte
The Poison Null Byte aka The Poisoned NUL Byte was originally dubbed as such by Olaf Kirch in a post in the fa.linux.security news group. A null byte in many languages is used to detect the end of a string. As opposed to storing an integer value in the first byte or two of the string stating the total length. A null byte on the other hand would just be placed at the end of the string. By embedding NULL Bytes/characters into applications that do not handle postfix NULL terminators properly, an attacker can exploit a system using techniques such as directory traversal.
The Poison Null Byte exploit takes advantage strings with a known length that can contain null bytes, and whether or not the API being attacked uses null terminated strings. By placing a NULL byte in the string at a certain byte, the string will terminate at that point, nulling the rest of the string, such as a file extension.
There are a number of ways to use the Poison Null Byte exploit, including the following:
- The termination of a filename within a string, for example, a file extension.
- Terminating or commenting an SQL statement when dynamically executing, such as Oracle's 'EXECUTE IMMEDIATE'.
There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following: