> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/filesystem/trick-0100.md).

# File Download Filter Bypass (Null Byte)

***

When a web application filters file downloads based on extension but uses a function susceptible to null byte truncation (e.g., certain string-to-filesystem API interactions), you can bypass the filter. Append a null byte (`%00` URL-encoded) and a *permitted* extension after the target file name. The application validates that the supplied file path ends with an allowed file extension, such as `.png` or `.jpg`. However, it uses a vulnerable file-handling API that is susceptible to null byte poisoning. The filter checks the string *including* the permitted extension, but the underlying system function might process only the part of the string *before* the null byte, effectively referencing the original, restricted file. For example, if the application checks that the string `/etc/passwd%00.png` ends with `.png`, the underlying file-handling API receives the string and processes it only up to the null byte, opening the file `/etc/passwd`.

This technique leverages how certain functions or APIs treat the null byte (`\0`) as a string terminator. While the application-level check sees the full string including the allowed extension, the system call to open or read the file might stop processing the filename string at the null byte. This vulnerability is often dependent on the specific file-handling functions used by the application, particularly those in languages or libraries that historically treated null bytes as string terminators, such as older versions of PHP.

For instance, to download `debugpassword.py` when only `.txt` is allowed:

```bash
curl http://10.10.85.113:7777/cloud -X POST -d 'download=debugpassword.py%00.txt'
```

A common demonstration involves accessing system files like `/etc/passwd` when only image extensions are allowed. The payload would be constructed as the target file path, followed by `%00`, followed by an allowed extension:

```
/etc/passwd%00.png
```

or

```
/etc/passwd%00.jpg
```

Combined with directory traversal, one might attempt to access a file like this when only `.pdf` files are permitted:

```
../../../../etc/passwd%00.test.pdf
```

This approach allows bypassing the extension filter by providing a filename that appears valid to the filter but is truncated by the underlying file system function, pointing to the intended target file.
