Follow us on Twitter!
Become the change you seek in the world. - Gandhi
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 15
Members Online: 5

Registered Members: 82885
Newest Member: ConiBE
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-09-08 17:18
i am really getting mad about how to use this attack.
i tried my best but was not able to view the source code in which php or asp or jsp was there
it was only showing html code.

i tried all the combinations but was unable to use it
please help me with it...Smile
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-09-08 17:30
Hi,
Firstly where you talking about the basic web hacking mission? Perhaps you should have posted this thread in the correct forum...

I also had trouble with this. Read the article on Wikipedia about the poison null byte, as it gave me the best information on it. Otherwise you can PM me what your specific questions are and where you are stuck.


Author

RE: poison null byte

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 24-09-08 20:50
If you mean that you're targeting a website (or preferrab÷y your own server), then you must understand that it won't work unless the target is vulnerable.

This should be pretty obvious though Pfft


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 00:14
Is there any chance that someone who is proficient at PHP
would post an example of a script that is vulnerable to
the poison null byte attack?


Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 00:45
Code

<?php
include($_GET['page'].".php");
?>





There you go...LFI vulnerability that would be exploited based on using a null byte.
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 01:00
Dude poison null byte is really easy and fun. My college is extremly vulnerable to this. I am not going to tell you what school I go to, but you'll know when you find a site vulnerable to poison null byte. I sware. My school has been more vulnerable to this attack beyond my imagination. It seriosly devistated my college. No joke. PM if you want.


Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 01:20
skathgh420 wrote:
My college is extremly vulnerable to this. I am not going to tell you what school I go to...

skathgh420 wrote:
It seriosly devistated my college. No joke. PM if you want.

Am I the only one that read the post this way?


Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 01:30
Zephyr_Pure wrote:
skathgh420 wrote:
My college is extremly vulnerable to this. I am not going to tell you what school I go to...

skathgh420 wrote:
It seriosly devistated my college. No joke. PM if you want.

Am I the only one that read the post this way?


If you are implying that I did it you are soooo off track. I know what happend to that particular college that I go to. I also have a good understanding of what/how they did it. If he wants to PM about poison null byte he can. Thats all. I am no expert about it but I know how It's done. Thats all. Grin


Author

RE: poison null byte

spyware
Member



Posts: 4192
Location:
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 25-09-08 01:30
Zephyr_Pure wrote:
Am I the only one that read the post this way?


No. There's also the other Zephyr_Pure's in endless alternative dimensions in which you happened to read this.

Oh, and I found it a bit weird too, yeah. I guess the cost of privacy is one pm now. Good thing my inbox is full.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
´┐ŻWidespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.´┐Ż
- Carl Sagan
[center]´┐ŻSince the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?´┐Ż - Ebert[/ce
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-09-08 01:37
skathgh420 wrote:
My college is extremly vulnerable to this. I am not going to tell you what school I go to...

skathgh420 wrote:
It seriosly devistated my college. No joke. PM if you want.

skathgh420 wrote:
If you are implying that I did it you are soooo off track.

That wasn't what I was implying... as shown above again. Anyways, this topic is pretty much done; researching "poison null byte" will teach him how to do it, and vulnerable code has already been demonstrated. Nice of you to offer the PM option, though.

spyware wrote:
No. There's also the other Zephyr_Pure's in endless alternative dimensions in which you happened to read this.

I definitely gotta meet those guys! They must be so cool!




Edited by on 25-09-08 01:40
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-10-08 04:08
hacker2k wrote:
Code

<?php
include($_GET['page'].".php");
?>





There you go...LFI vulnerability that would be exploited based on using a null byte.



Okay. I wanted to test this out on my own server, so
I made this.

No matter what I try, I cannot view the source of PNB.php

Am I doing the attack wrong?
(I'm looking for the right word for 'doing' the attack, but can't
find it...)
Or is it that the attack does more than just let the attacker
view the source, and this is one of those cases?


Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 01-10-08 04:16
s3klyma wrote:
No matter what I try, I cannot view the source of PNB.php
Or is it that the attack does more than just let the attacker
view the source, and this is one of those cases?

You're including the PHP file... when that is done, the PHP source is interpreted prior to the page becoming viewable (i.e., HTML sent to the browser). I'm sure others will come up with more / better uses for poison null byte attacks, but an example is using a vulnerable include field to bypass .htaccess restrictions. The only way I could see the PHP source being viewable is if you exploit a script that can echo the source or if you can breach the server admin account.


Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-10-08 03:53
Zephyr_Pure wrote:
s3klyma wrote:
No matter what I try, I cannot view the source of PNB.php
Or is it that the attack does more than just let the attacker
view the source, and this is one of those cases?

You're including the PHP file... when that is done, the PHP source is interpreted prior to the page becoming viewable (i.e., HTML sent to the browser). I'm sure others will come up with more / better uses for poison null byte attacks, but an example is using a vulnerable include field to bypass .htaccess restrictions. The only way I could see the PHP source being viewable is if you exploit a script that can echo the source or if you can breach the server admin account.


Although I've never heard of such an attack, is it possible to
open the page such that the server interprets it as a different
type of file?

For example opening http://seklym4.t35.com/PNB.php as an
HTML or txt file



Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-10-08 03:53
--Double post--




Edited by on 03-10-08 03:56
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-10-08 03:55
Triple post!!
SHIT!!




Edited by on 03-10-08 04:00
Author

RE: poison null byte

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Elite
Posted on 03-10-08 04:06
Do you use anything like firebug, greasemonkey, or any other editing add on?
is so, disable them.

and as for all the post, go in and edit them... and make sure to click the box that says, Delete this post.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png

yours31f@live.com yours31f@yahoo.com rpwd.info
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-10-08 04:08
s3klyma wrote:
Although I've never heard of such an attack, is it possible to
open the page such that the server interprets it as a different
type of file?

You would have to change the Content-Type and Content-Disposition headers when loading the file to interpret it as a different type. It might be possible to do this effectively with cURL, but I've never tried.


For example opening http://seklym4.t35.com/PNB.php as an
HTML or txt file

You would have to change the file type before the PHP is rendered server-side. ... That's not going to happen.


Author

RE: poison null byte

hawkster
Member

Your avatar

Posts: 10
Location: Burbank and Irvine, California
Joined: 16.08.06
Rank:
Guest
Posted on 14-10-08 21:16
Looking at the source code for the page you set up, the Poison NULL Byte attack isn't going to work anyway. The string has to be terminated with a null, though in the source the null comes right before the file extension.

If we put in "that" in your search box, the query will become (in a shortened version):

?answer=that

This becomes a problem since the ".php" extension is added after the query string is passed, so anything added to the text box will be placed before the ".php" extension. Trying to do the NULL byte attack would come out like this if we entered "that%00" in the textbox:

?answer=that%00

which would then be translated into the page "that%00.php" (a page that doesn't exist) when what you would really want for the attack would be "that.php%00" (the Poison NULL Byte attack itself).

The NULL byte has to come at the end and not in the middle Smile

You have to fix the portion of the PHP code which gets the "answer" parameter so it doesn't add the ".php" extension to the end but forces the user to do it himself. Then, the attack *should* work since the null byte will be processed after the extension, though I can't say completely because I don't know if there is other code affecting the processing of the input. This also assumes the server is vulnerable; if it isn't, you're kind of shit-out-of-luck Grin

~Hawk


~ Paranormal investigator and software developer ~

www.hellboundhackers.org/sig/r/10896.png

Edited by hawkster on 14-10-08 21:22
KaneFanDX@aol.com hawkster9542
Author

RE: poison null byte


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-10-08 21:29
The null byte aims to terminate the string prematurely (thus bypassing the default extension added). More info on the Poison Null Byte: http://insecure.o. . .P55-07.txt

So, basically, you bumped a week-old thread to be wrong? Pfft


Author

RE: poison null byte

hawkster
Member

Your avatar

Posts: 10
Location: Burbank and Irvine, California
Joined: 16.08.06
Rank:
Guest
Posted on 14-10-08 21:34
Zephyr_Pure wrote:
The null byte aims to terminate the string prematurely (thus bypassing the default extension added). More info on the Poison Null Byte: http://insecure.o. . .P55-07.txt

So, basically, you bumped a week-old thread to be wrong? Pfft


Hey, any jackass can bump a week-old thread to be right. Pfft

It takes a special jackass to bump a week-old thread to be wrong Wink

~Hawk


~ Paranormal investigator and software developer ~

www.hellboundhackers.org/sig/r/10896.png

Edited by hawkster on 14-10-08 21:35
KaneFanDX@aol.com hawkster9542