Windows short filenames causes Discuz database backup file leakage.
Only applicable to DZ running under apache in windows!
Not only does DZ have this problem.
Before reading the details, please go to learn more about the Windows short filenames vulnerability!
First, all the children's shoes that know DZ know about. DZ's backup directory file name.
/Fourmdata/backup/or/data/backup/
After the backup is successful, it will not be under the default backup. A new folder will be generated.
The naming rule is backup_6 random digits _ 6 random letters/
Then let's count
Backup
Six. Kids shoes. What have you found?
Short File Name Vulnerability.
The folder names can be accessed in this way.
Backup ~ 1/
Backup ~ 2/
Backup ~ 3/
Haha. Let's take a look at the naming rules for backup files.
110702_XNf2rv-1. SQL
Date_6-bit random number-1. SQL
We wrote a small dictionary and ran it out...
It's exactly 6 characters... Haha... we use the following file name to access
110702 ~ 1. SQL
The backed up database file is out.
The vulnerability has ended.
More ways to use them
I think of him as a DZ vulnerability, which is far-fetched. However, if the DZ backup rules do not, this problem will not exist.
There are still many similar programs.
Proof of vulnerability:
Before reading the details, please go to learn more about the Windows short filenames vulnerability!
Solution:
Modify the backup file name rules.