Results 1 to 5 of 5

Thread: BuYS: Web attack for information disclosure of source code Share/Save - My123World.Com!

  1. #1
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2

    BuYS: Web attack for information disclosure of source code

    We all are pretty much familiar with the notorious %00.

    Code:
    http://www.example.com?page=index.php
    By adding %00 at end
    Code:
    http://www.example.com?page=index.php%00
    This throws out the source code of index.php

    Q.1 What is this attack called ?
    Q.2 Why does this work or what are the internal flaws in web languages which leads it to leak it.
    Q.3 How can this be mitigated.(You can assume PHP to be the language. Or you can answer for other languages as well)


    PM me the answers within 3 days. All answers with solution will be posted after 3 days completion.
    Last edited by abhaythehero; 09-12-2012 at 05:18 PM.
    In the world of 0s and 1s, are you a zero or The One !

  2. #2
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Answer pmed Super Commando Dhruv. Not a complete one, but whatever I knew about this attack vector.

    Cheers!
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  3. #3
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Quote Originally Posted by b0nd View Post
    Answer pmed Super Commando Dhruv. Not a complete one, but whatever I knew about this attack vector.

    Cheers!
    Checked you answer. Wow, that was another use of %00 in a different attack. But the basic internals remains the same. You just have to figure out why inserting %00 worked in your case, i.e, Question 2 and Question 3.
    In the world of 0s and 1s, are you a zero or The One !

  4. #4
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Oops made a mistake in the scenario....

    Here is the correction :

    Code:
    http://www.example.com?page=1
    (Here we are getting an html output. We assume that 1.html file is there on server and is being acessed.)


    By adding %00 at end
    Code:
    http://www.example.com?page=page.php%00
    This throws out the source code of page.php

    ________________________________________________

    Another 3 days
    In the world of 0s and 1s, are you a zero or The One !

  5. #5
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    b0nd's answer :
    Not sure about %00 disclosing source code of the page but, to the best of my memory, it does help in commenting out the extension part of file (back door shells) and hence in their execution. Have seen practical usage when uploading of shells like xyz.php but filters doesn't allow extensions other than txt, jpg etc.
    Solution used to be to rename xyz.php to xyz.php.txt and upload and then run on browser as /path/xyz.php%00.txt
    ----------------------------------------------------------------------------

    Ans 1. Poison NULL byte attack. Full paper http://insecure.org/news/P55-07.txt

    Ans 2. PHP,Perl,etc allows NULL characters in its variables as data. Unlike C, NULL is not a string delimiter. So, "root" != "root\0". But, the underlying system/kernel calls are programmed in C, which DOES recognize NULL as a delimiter. So the end result? PHP passes "index.php%00", but the underlying libs stop processing when they hit the first (our) NULL. Hence index.php%00 is meant by php code, but C library understands it as index.php. So the code of index.php is coughed(as would happen in case of 1.html file) on page and not considered by server side code to be executed.

    Ans 3. Apply regex to filter out null. (Read the paper, it is explained in detail there)
    Last edited by abhaythehero; 10-05-2012 at 04:51 PM.
    In the world of 0s and 1s, are you a zero or The One !

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •