I made a bawrl.txt and a bawrl.html and gave them contents that identify their extension and I made this script:
- Code: Select all
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
my $url=$ENV{"QUERY_STRING"}.".txt";
print "$url \n";
open (FILE ,"$url");
while (<FILE>) {
print $_;
}
Which is ment to be vulnerable to poison null bytes.
Then I called it with this url from Firefox :
- Code: Select all
127.0.0.1/cgi-bin/test.pl?bawrl.html%00
I was expecting that it would open bawrl.html, but it doesn't. What is also weird is that it outputs 2 different things when I call it twice in a row.
It either outputs this:
- Code: Select all
bawrl.html%00.txt
or this:
- Code: Select all
bawrl.html.txt
So sometimes it ignores the zero byte but adds what comes after that and sometimes it does add the %00.
I'm a little confused can someone tell me what is going on , please?
