Gonzalez Posted December 4, 2006 Report Posted December 4, 2006 NullByte ExploitationCGI File EditionHopefully, you all have read my first nullbyte exploitation article and know what a nullbyte is. If you dontknow what it is and havent read my article the nullbyte is a string used in programming languages thatterminates the string. We will be using the nullbyte to trick a cgi file into displaying it's own code!In this edition of nullbyte exploitation we will see how we are able to exploit perl cgi files on the web. The firstexample shows of a cgi page that uses the following to access .html pages:index.cgi?pageid=3This, in turn, shows us 3.html. This is not a huge vulnerability, in itself. But, when we apply the nullbytesomething magical happends. A simple PoC i will show you is how we are able to view the source ofindex.cgi. Look below for an example.index.cgi?pageid=index.cgi%00When we enter the null byte into the url it terminates everything so that the .html exrension is not put on.Although i havent tested this theory, but, we should be able to access /etc/passwd using this method.index.cgi?pageid=/ect/passwd%00Theoretically this should open up /etc/passwd and display the password file! Obviously, the possibilities fromthis point are endless.Thanks for reading! Quote
