Using Null Bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings (disregarding whatever comes after the Null Byte.
By adding the Null Byte at the end of the payload, we tell the include function to ignore anything after Null Byte which may look like:
include("languages/../../../../../etc/passwd%00").".php");Effectively making the function call to be:
include("languages/../../../../../etc/passwd");[!tip] TheÂ
%00 trick has been fixed in PHP 5.3.4