WooYun.org

先看了下主站感觉没啥大漏洞，
然后扫了下域名得知 beilou.com 是其前生，然后扫描端口
Starting Nmap 6.46 ( http://nmap.org ) at 2015-05-17 22:37 CST
Nmap scan report for beilou.com (182.92.111.61)
Host is up (0.013s latency).
Not shown: 978 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
901/tcp filtered samba-swat
1068/tcp filtered instl_bootc
3128/tcp filtered squid-http
4444/tcp filtered krb524
5666/tcp open nrpe
5800/tcp filtered vnc-http
5900/tcp filtered vnc
6129/tcp filtered unknown
6667/tcp filtered irc
8009/tcp open ajp13
8010/tcp open xmpp
8081/tcp open blackice-icecap
8090/tcp open unknown
8100/tcp open xprint-server
8200/tcp open trivnet1
9001/tcp open tor-orport
duang~ duang~ 其中8081是gitlab的地址 然后发现8090和8010竟然不需要认证
如下所示：

这个促销系统做的还挺不错的

iOS设备的推送系统
一般这种站，可能就不怎么严密估计有sql注入漏洞，果然就有一个
POST /red_packet/list HTTP/1.1
Host: monitor.beilou.com:8010
Content-Length: 15
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://monitor.beilou.com:8010
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://monitor.beilou.com:8010/html/red_packet/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: request_method=GET; _gitlab_session=d14a5da0f1dc414332f62d942b315172; JSESSIONID=8817444C85A594E71289965295F21805
condition=12323
这个condition就是可以注入的，然后上sqlmap跑一下

跑出了数据库
然后在跑一些数据吧 : )
database management system users [1]:
[*] 'beilouguest'@'%'

用户表

还有一些订单信息
然后根据信息进入了后台。。。
-------------好了不继续了，不然要被请喝茶了------