BuYS: Web attack for information disclosure of source code

**abhaythehero** · 09-12-2012, 05:11 PM

We all are pretty much familiar with the notorious %00.

Code:

http://www.example.com?page=index.php

By adding %00 at end

Code:

http://www.example.com?page=index.php%00

This throws out the source code of index.php

Q.1 What is this attack called ?
Q.2 Why does this work or what are the internal flaws in web languages which leads it to leak it.
Q.3 How can this be mitigated.(You can assume PHP to be the language. Or you can answer for other languages as well)

PM me the answers within 3 days. All answers with solution will be posted after 3 days completion.

**b0nd** · 09-13-2012, 09:22 AM

Answer pmed Super Commando Dhruv. Not a complete one, but whatever I knew about this attack vector.

Cheers!

**abhaythehero** · 09-13-2012, 11:43 AM

Originally Posted by b0nd

Answer pmed Super Commando Dhruv. Not a complete one, but whatever I knew about this attack vector.

Cheers!

Checked you answer. Wow, that was another use of %00 in a different attack. But the basic internals remains the same. You just have to figure out why inserting %00 worked in your case, i.e, Question 2 and Question 3.

**abhaythehero** · 09-18-2012, 04:31 PM

Oops made a mistake in the scenario....

Here is the correction :

Code:

http://www.example.com?page=1

(Here we are getting an html output. We assume that 1.html file is there on server and is being acessed.)

By adding %00 at end

Code:

http://www.example.com?page=page.php%00

This throws out the source code of page.php

________________________________________________

Another 3 days

**abhaythehero** · 10-05-2012, 04:39 PM

b0nd's answer :

Not sure about %00 disclosing source code of the page but, to the best of my memory, it does help in commenting out the extension part of file (back door shells) and hence in their execution. Have seen practical usage when uploading of shells like xyz.php but filters doesn't allow extensions other than txt, jpg etc.
Solution used to be to rename xyz.php to xyz.php.txt and upload and then run on browser as /path/xyz.php%00.txt

----------------------------------------------------------------------------

Ans 1. Poison NULL byte attack. Full paper http://insecure.org/news/P55-07.txt

Ans 2. PHP,Perl,etc allows NULL characters in its variables as data. Unlike C, NULL is not a string delimiter. So, "root" != "root\0". But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? PHP passes "index.php%00", but the underlying libs stop processing when they hit the first (our) NULL. Hence index.php%00 is meant by php code, but C library understands it as index.php. So the code of index.php is coughed(as would happen in case of 1.html file) on page and not considered by server side code to be executed.

Ans 3. Apply regex to filter out null. (Read the paper, it is explained in detail there)

Thread: BuYS: Web attack for information disclosure of source code

LinkBack

Thread Tools

Search Thread

Display