When trying to simplify a PHP web application against null byte poisoning , I noticed that I had time actually sending null bytes in my request.
Using cURL, I was finally able to find a way to send null bytes to my requests, but noticed something very strange: no query parameters whose values ββinclude null bytes ever reach my PHP application.
As a proof of concept, I created a file called test.php on my server:
<?php echo json_encode($_GET), PHP_EOL;
Here is the result of some requests for this script:
> curl 'http: //localhost/test.php? foo = bar & baz = nu% 00ll'
{"foo": "bar"}
> curl 'http: //localhost/test.php? foo = bar & b% 00az = null'
{"foo": "bar", "b": "null"}
The keys appear to be truncated in the zero byte, and if the value contains the zero byte, the parameter is completely removed from the request array.
Using print_r() gives similar results:
<?php print_r($_GET);
> curl 'http: //localhost/test.php? foo = bar & baz = nu% 00ll'
Array
(
[foo] => bar
)
> curl 'http: //localhost/test.php? foo = bar & b% 00az = null'
Array
(
[foo] => bar
[b] => null
)
The same thing happens if I change my script and cURL requests to use $_POST .
Not that I complained, but I need to know why this is happening, so that I can make sure that each web server is configured correctly.
What causes this behavior?
> php -v
PHP 5.3.3 (cli) (built: Jul 3 2012 16:40:30)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.29, Copyright (c) 2007, by SektionEins GmbH