In order to write this exploit I have downloaded a lot of CMS doing a lot of experiments, and. Most of which are talked about are the dark clouds already on the Register of vendors, including: Ecshop, And PHPwind, and 74CMS, etc... Here is submitted to on the one hand in order to prevent various friends to get this brush rank, the brush bonus, on the one hand is desirable to develop a CMS programmers to take into account this design flaw exists. Written at a time when the middle of a power outage, fortunately I clever, the first write-in word up.
0x00 outlined here we want to talk about what is Design defect? First of all, we such want to talk about design flaws in the involved hazards may cause the database backup, log, log, text information and other information easily leaks, causing great hazards! Our here comes the design flaw refers to the manufacturers in the development of the CMS with no regard for Windows special circumstances of a short file name mode, so that the CMS and the backup of the database, the generated log, or other user to save the text information, image information can by short file names way to easily traverse. So what is the short file name? Please listen to the following commentary.
0x01 what is the short file name in Windows, if a file name of length greater than 9 characters, then you can use the short file name the way to access it through the short file name of the way to access a file you can use the user does not need to enter the full name of the file to access it. Then we do an experiment, if a CMS log in such rules to naming. a_ generating a time _b. log for example: a_201303030125_b. log a_201405061332_b. log a_201206301516_b. log here we do experiments directly on disk under the establishment of such a third log file, and then open our CMD, switch to the directory, enter the command: dir /x to view it, found the middle of the“~”command of the file name, this is the short file name.
From the above it can be seen, if we want to access these three log files, then the average person might say to go blasting, but? In fact, no need to go blasting, you can directly use the short file name of the mode to access, so that the corresponding to it is: a_201303030125_b. log---->A_2012~1. LOG a_201405061332_b. log---->A_2013~1. LOG a_201206301516_b. log---->A_2014~1. LOG this down as long as we enumeration of the year you can traverse the log, then if all is the same in the US How to traverse the different? Here also do a bit of time, put them all to the same year:
a_201303030125_b. log---->A_2013~1. LOG a_201305050106_b. log---->A_2013~4. LOG a_201305061332_b. log---->A_2013~3. LOG a_201306301514_b. log---->A_2013~2. LOG from the above it can be seen you can use a similar~1、~2、~3、~4 such a method to access, for why this is so, I on Baidu to find such a comparison useful: 1, conform to the DOS short file name rules for Windows long file names unchanged. 2 long file names with spaces in short file name is deleted. 3）Remove the spaces after the file name, if the length is greater than 8 characters, then take the first 6 characters, the last two characters with"~#"instead, where"#"is a number, numeric according to the first six characters the same file name, The number of postponed it. If the number exceeds 1 0 then take the first 5 characters after the three characters to"~##"instead, where"##"is a two-digit number, if the number is greater than 1 0 0 also in accordance with this rule to replace. 4 The use of multiple"．" Spaced from the long file name, take the left end of a segment is converted to a short file name, take the right-most period of the first three characters for the extension. For more short file name of knowledge, we can Baidu to know, our focus here is not speaking of the short text name of the thing.