注入点:http://api.mix.guohead.com/stats_app_activity.php?spid=a85a279e38364d17&client=1&gh_ver=2.0.5&app_pkg=com.ejiuwu.qpbuyu&app_ver=3.2.2&mac=020000000000&open_udid=8ec4d374f19ec87dfd632d448e6e30e42616c9f8&pmodel=iPhone7,2&wifi=1&adid=B494BDA4-C71A-44F9-A858-AC2891C230E4&is_ad_track_enabled=1&vendor_id=F469C05D-BC41-481B-ABB1-8B330ACB180B&width=568.000000&height=320.000000&os_lang=zh_CN&os_ver=8.1.2&jailbreak=1&app_dev_fml=1,2&a1=misd&a2=assertiond&a3=discoveryd&a4=fairplayd.H2&a5=cfprefsd&a6=seld&a7=discoveryd_helpe&a8=passd&a9=biometrickitd&a10=nfcd&a11=searchd&a12=nsurlsessiond&a13=InCallService&a14=bird&a15=MobileSMS&a16=ReportCrash&a17=cloudphotod&a18=cloudd&a19=coreduetd&a20=assistant_servic&a21=nsurlstoraged&a22=pkd&a23=QQ&a24=coreauthd&a25=DuetHeuristic-BM&a26=WirelessRadioMan&a27=awdd&a28=CoreAuthUI&a29=lsuseractivityd&a30=MicroMessenger&a31=rtcreportingd&a32=coresymbolicatio&a33=diagnosticd&a34=com.apple.sbd&a35=absd&a36=misagent&a37=pipelined&a38=IMDPersistenceAg&a39=CacheDeleteDaily&a40=com.apple.lakitu&a41=vvebo&a42=%C3%82%C3%A7%C3%89%C3%81%C3%87%C3%86%C3%8A%C3%A7%C3%AF%C3%88%C2%B1%C2%BA&a43=Preferences&a44=nehelper&a45=MobileSafari&a46=com.apple.WebKit&a47=com.apple.WebKit&a48=qpbuyu&a49=gamecontrollerd&a50=ReportCrash&a51=xpcproxy&initial=1
找到一个登录的地址,http://www.guohead.com/admin/login
注入出来的内容
密码破不了,不然可以进一步渗透
利用上面爆出来的帐号密码可登录后台。。