The Null Byte Attack is a type of attack that takes advantage of the inconsistent handling of the Null Byte character among different languages. The Null Byte is a special byte that indicates the end of a string of characters. In C and C++ programming languages the Null Byte character signals the end of the string. When the interpreter encounters the Null Byte character, it knows that it has reached the end of the string. In mutlibyte languages like PHP, the Null Byte character has no special meaning. PHP treats it as any other encoded character and does consider it as the end of the string. The different behaviour in handling this character makes the Null Byte attack possible as we will see below. Example:
Consider a script that allows users to download images only from the server.
readfile($_GET["image"] . ".jpg");
The script accepts a parameter which is the image name without an extension. The programmer appends the .jpg" extension at the end of the image name to make sure only image files are being downloaded. An attacker sends the following URL:
http://www.mysite.com/downloadimage.php?image=password.txt
Notice the at the end of the request. This is the URL encoding of the null byte. When the PHP script receives this request, it tries to execute the following command:
readfile("password.txt\0.jpg");
The \0 indicates the Null Byte. In the URL it is represented as because it is URL encoded but the actual representation is \0. Using\0 directly in the URL will not pass the Null Byte chacacter. It has to be encoded first.
The readfile function will send the submitted file name password.text\0.jpg to an a C-language function that will return the file. The C-language function will notice that there is a Null Byte character and will assume that the requested file is just password.txt because it will ignore everything after the Null Byte. The attacker may actually retrieve now any other file he wants.
Protecting Against Null Byte Attack
To protect against this type of attack, you need to reject or sanitize content that contains the Null Byte. It is hard to think of any situation where a user needs to supply a Null Byte as part of the request so it is best to reject the data instead of trying to make it valid. It is commonly known that correcting user input may lead to unexpected problems. You can check for the existence of the Null Byte in PHP using the function below:
function containsNullByte($s)
{
if(strpos($s, char(0)) === false)
return false;
return true;
}
{
if(strpos($s, char(0)) === false)
return false;
return true;
}
0 评论:
发表评论