The Phoenix mobile game network SQL blind injection vulnerability-vulnerability warning-the black bar safety net

2013-04-01T00:00:00
ID MYHACK58:62201338068
Type myhack58
Reporter 佚名
Modified 2013-04-01T00:00:00

Description

Brief description:

The Phoenix mobile game network, fill in the phone number to send the push to connect places exist sql blind injection vulnerability.

Detailed description:

The presence of SQL blind injection url: fenghuang/game/game_send_sms. jsp? gameid=1 3 0 2 2 1 3 4 6 0 0 0% 2 7%20and%20sleep%2 8 2% 2 9%3d%2 7&mo=1

!

Vulnerability proof:

!

Guess the database:

!

Can see the mysql system database, it appears that the user permissions should be very high.

Repair solutions:

Filtering!