VULHUB ™

### 简要描述： 某网店系统存在越权漏洞(任意用户信息修改) ### 详细说明： 账号 A id=375 [<img src="https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg) 账号 B id=376 [<img src="https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg) 越权修改账号a的信息 [<img src="https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg) 成功修改 [<img src="https://images.seebug.org/upload/201504/062354065cfdd02e30026448e07a3660d4ebcacf.jpg" alt="4.jpg" width="600"...

### 简要描述： 某网店系统存在越权漏洞(任意用户信息修改) ### 详细说明： 账号 A id=375 [<img src="https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg) 账号 B id=376 [<img src="https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg) 越权修改账号a的信息 [<img src="https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg) 成功修改 [<img src="https://images.seebug.org/upload/201504/062354065cfdd02e30026448e07a3660d4ebcacf.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062354065cfdd02e30026448e07a3660d4ebcacf.jpg) demo演示站点呢 一样可以修改收货地址 账号A id=362 [<img src="https://images.seebug.org/upload/201504/0700005128c3e57db682460c6ec04fbc15dd9a1c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0700005128c3e57db682460c6ec04fbc15dd9a1c.jpg) 账号B id=363 [<img src="https://images.seebug.org/upload/201504/07000058fd624e353d682fc05a6b2efead0a6338.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000058fd624e353d682fc05a6b2efead0a6338.jpg) 越权修改id是362的信息 [<img src="https://images.seebug.org/upload/201504/07000113963a3f9be0dfdf79eebf8601f98cc710.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000113963a3f9be0dfdf79eebf8601f98cc710.jpg) 成功修改 [<img src="https://images.seebug.org/upload/201504/07000122655bc35e6ff0b84171ebe0565344b265.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000122655bc35e6ff0b84171ebe0565344b265.png) ok； ### 漏洞证明： 账号 A id=375 [<img src="https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353303367186febdd18e8b3712b8f7830be05.jpg) 账号 B id=376 [<img src="https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353381efab2ff28593f6fd9d2dae027f188d3.jpg) 越权修改账号a的信息 [<img src="https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062353574ce16197f0975a7272e39bb763877a4d.jpg) 成功修改 [<img src="https://images.seebug.org/upload/201504/062354065cfdd02e30026448e07a3660d4ebcacf.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/062354065cfdd02e30026448e07a3660d4ebcacf.jpg) demo演示站点呢 一样可以修改收货地址 账号A id=362 [<img src="https://images.seebug.org/upload/201504/0700005128c3e57db682460c6ec04fbc15dd9a1c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0700005128c3e57db682460c6ec04fbc15dd9a1c.jpg) 账号B id=363 [<img src="https://images.seebug.org/upload/201504/07000058fd624e353d682fc05a6b2efead0a6338.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000058fd624e353d682fc05a6b2efead0a6338.jpg) 越权修改id是362的信息 [<img src="https://images.seebug.org/upload/201504/07000113963a3f9be0dfdf79eebf8601f98cc710.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000113963a3f9be0dfdf79eebf8601f98cc710.jpg) 成功修改 [<img src="https://images.seebug.org/upload/201504/07000122655bc35e6ff0b84171ebe0565344b265.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/07000122655bc35e6ff0b84171ebe0565344b265.png) ok；