### 简要描述:
phpok企业建站系统(越权修改任意用户收货地址)
### 详细说明:
1.来到个人中心收货地址添加后编辑抓包
[<img src="https://images.seebug.org/upload/201511/092001035597bd02eabd786a7b223f50d2f42e96.png" alt="·1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092001035597bd02eabd786a7b223f50d2f42e96.png)
2.id地址是23这个
[<img src="https://images.seebug.org/upload/201511/092002169cefa0a7285ab07de0090775b6df3ea2.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092002169cefa0a7285ab07de0090775b6df3ea2.png)
3.登录账号二同样操作
[<img src="https://images.seebug.org/upload/201511/09200442cec4f897c2adfd70619258ff7da50c6e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/09200442cec4f897c2adfd70619258ff7da50c6e.jpg)
[<img src="https://images.seebug.org/upload/201511/092004474e828c630ac33ccecdd6287326e53cbf.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092004474e828c630ac33ccecdd6287326e53cbf.png)
4.账号一包处修改为账号二
[<img src="https://images.seebug.org/upload/201511/092006160a465197cf7e48f63e04752d9c658c73.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092006160a465197cf7e48f63e04752d9c658c73.png)
5.成功修改
[<img src="https://images.seebug.org/upload/201511/0920063754939738cf5f2b22ea26d1a08003f88b.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/0920063754939738cf5f2b22ea26d1a08003f88b.png)
局域网内2台电脑测试过哦嘿嘿
### 漏洞证明:
1.来到个人中心收货地址添加后编辑抓包
[<img src="https://images.seebug.org/upload/201511/092001035597bd02eabd786a7b223f50d2f42e96.png" alt="·1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092001035597bd02eabd786a7b223f50d2f42e96.png)
2.id地址是23这个
[<img src="https://images.seebug.org/upload/201511/092002169cefa0a7285ab07de0090775b6df3ea2.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092002169cefa0a7285ab07de0090775b6df3ea2.png)
3.登录账号二同样操作
[<img src="https://images.seebug.org/upload/201511/09200442cec4f897c2adfd70619258ff7da50c6e.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/09200442cec4f897c2adfd70619258ff7da50c6e.jpg)
[<img src="https://images.seebug.org/upload/201511/092004474e828c630ac33ccecdd6287326e53cbf.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092004474e828c630ac33ccecdd6287326e53cbf.png)
4.账号一包处修改为账号二
[<img src="https://images.seebug.org/upload/201511/092006160a465197cf7e48f63e04752d9c658c73.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/092006160a465197cf7e48f63e04752d9c658c73.png)
5.成功修改
[<img src="https://images.seebug.org/upload/201511/0920063754939738cf5f2b22ea26d1a08003f88b.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201511/0920063754939738cf5f2b22ea26d1a08003f88b.png)
局域网内2台电脑测试过哦嘿嘿
京公网安备 11010502034610号
暂无评论