Entering a null byte in the upload form

Question

Entering a null byte in the upload form

I am trying to reproduce a Null Byte Injection attack in the download form. I have this code:

<?php if(substr($_FILES['file']['name'], -3) != "php") { if(move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])) echo '<b>File uploaded</b>'; else echo '<b>Can not upload</b>'; } else echo '<b>This is not a valid file/b>'; ?>

I am trying to upload a file named like this: file.php% 00jpg, so it will bypass substr () and will be loaded as a .php file, since move_uploaded_file () should stop at zero byte (% 00).

The problem is that the downloaded file is not called file.php on the server, but file.php% 00jpg (which can be accessed by entering /file.php%2500jpg in the url line).
It seems that move_uploaded_file () doesn't care about the zero byte, so how does it work? Is it possible to upload a .php file with my piece of code?

Thanks:).

+7

security php forms exploit

Efuveo Feb 09 '13 at 21:27

source share

1 answer

Fabian schmengler · Accepted Answer · 2013-02-09T22:05:48+0000

The HTML form urlencodes is the file name for% 2500, and PHP decodes it again to% 00 (percent sign, zero, zero). There is no null byte in your test, you will need to specify a file with an actual null byte (this is not possible) or a script with an HTTP request manually instead of using an HTML form. However, current versions of PHP are not vulnerable to this attack, PHP internally blocks variables in the so-called ZVal container and allows zero bytes in the middle of the line without any effect.

Entering a null byte in the upload form

More articles: