So, as many of you know, or may know, perhaps, Willhostforfood recently fell to what is known as null-byte injection. I'll explain what that is in a moment. Anyways, luckily, I figured eventually someone would do something like that to the site, so using null-byte injections myself, I decided to get the source for the pages just in case someone who hacked it decided to deface it… I know, this makes me out to be the hacker, but I did that so that the source would be readily available for the site owner if he wanted it.
Anyways, let's get to the more interesting part: stopping the nullbyte injections. There's plenty of ways. The most simple is as such:
/*Filename has been put into $fname*/
$fname = str_replace('%'.'',$fname);
That cuts out all %'s from the filename. Why you do that, I'll go over in a minute. That's what most sites tend to do. Just as well, you can use these two functions that I just thought up:
function nullcheck($str) {
$char = 1;
foreach(preg_split("//",$str) as $let) {
if(ord($let) == 0 && ($char > 0 && $char < strlen($str))) {
return $char;
}
$char++;
}
return false;
}
function nullcheckarr($str) {
$arr = array();
$char = 1;
foreach(preg_split("//",$str) as $let) {
if(ord($let) == 0 && ($char > 0 && $char < strlen($str))) {
$arr[] = $char;
}
$char++;
}
return ($arr)?$arr:false;
}
What these do is quite simple.
nullcheck() checks if there's an occurrence of the null byte anywhere between the beginning of the string (where there actually is a nullbyte by default,) and the end of the string (same.) If one is found, it returns the position of the nullbyte. So, assuming that, given the string "This is a ^string" and assuming that ^ is the nullbyte, nullcheck("This is a ^string") returns 11, whereas nullcheck("This is a string") returns false.
nullcheckarr() does the same thing, but returns an array of values corresponding to where each nullbyte is, excluding 0 and the end of it, so,
nullcheckarr("T^his^ is a ^string")
Returns an array with values as such:
Array: (
[0] => 1,
[1] => 5,
[2] => 12
)
Which can be iterated through using any method of looping, such as:
$nullarray = nullcheckarr("T^his^ is a ^string");
/*Method one: while()/do while() (same semantics, dfferent operating manner)*/
$i = 0;
while(++$i<=count($nullarray)) {
/* do something with $nullarray[$i]*/
}
/*Method two: for() */
for($i=0;$i<=count($nullarray);$i++) {
/* do something with $nullarray[$i]*/
}
/*Method three: foreach()*/
foreach($nullarray as $null) {
/*do something with $null/*
}
As such, you can assess if there are any null bytes in the string, and if so, how many, and where they are.
Now, to explain the mechanics of null byte injection.
Null byte injection consists of naming a file, say,
xploit.php
To something like,
xploit.php%00.bar
What does this do? Usually, PHP will parse that as:
xploit.php END OF STRING. That is, it will see .bar at the end, and upload it as such, but because of the nullbyte between php and the ., that is the end of the string to it, which means that the file is really xploit.php, and will be parsed on the server side as such.
It's quite a famous exploit, and many sites have fallen prey to it. So, if someone tries to upload a file to your server, you should check to see if there's either a nullbyte in it somewhere using a function similar to the ones I made, or see if %00 exists in it. If so, don't upload it, or change the nullbyte/%00 to something that is NOT harmless.
I think that about covers it for now.
~MahFreenAmeh [Security Consultant]~
P.S.:
<img src="
http://mfa.firephoenixnet.com/frac/500x500x10.png">
<img src="
http://mfa.firephoenixnet.com/gs/500x500.png">
<img src="
http://mfa.firephoenixnet.com/cs/500x500.png">
Di
ag
on
al
ly
ch
al
le
ng
ed
,w
ea
re
th
ei
ns
an
e!
Yay, nice generated images. Could you make some textures sometime?
Probably… Although I hate the fact that that has nothing to do with the rest of my blog. Haha.
Nice security tip, I'm an ass at security when making websites.
Weeeeeeee
I don't have a site to secure =D That really needs it <_<Meh…Ya,that was a sad guess I had made there
Your fractals are missing the greatness of evolving,need to reference the XY of the pixel(And make the RGB have a negative offset already…sheesh)Serpex: DAMN. I know, those damn fractals are getting quite annoying. I'm going to fix them after a while.
gml: Thanks. I'm intending to write more of these as I remember more flaws, whether they happen or not.So you were the one that saved the site? It's funny though because I would've had the source backed up but the FTP mysteriously changed one day and I could not log in to retrieve the files… well I was pretty relieved when Chiken said he finally got them back, so yeah. Thanks for hacking it and such.
@Aeron: I have nothing to do with the FTP changing. Haha. I don't mess with FTP servers, that's too much work for me. But I got the files previously , I saw it coming, et cetera, and you're welcome. Hahaha.
Ya,did you mention how he poorly has the maxupload size put right into the viewable source?
I hope you realize thats how it sort of HAS to be.
And don't think that is all that is there, there is both PHP configurations and code stuff that will stop you.