Phpyun design defects can be paid by other account money, clear other account money to 0

Source: Internet
Author: User

Phpyun design defects can be paid by other account money, clear other account money to 0

When processing the order, the background directly obtains the uid in the cookie. This uid can be forged into another person's uid, resulting in payment by another person's money.
After testing, although you cannot earn the points successfully paid, you can deduct others' account balance.

Vulnerability file \ api \ tenpay \ index. php:

 

$ SQL = $ db-> query ("select * from '". $ db_config ["def"]. "company_order 'where' order _ id' = '$ _ POST [dingdan]'"); $ row = mysql_fetch_array ($ SQL ); // obtain the order price by Order Number $ userid = (int) $ _ COOKIE ['uid']; // obtain the uid in the cookie, this uid can be forged into another user's uid !!!! If ($ _ POST ['balance '] & $ userid) {$ c_ SQL = $ db-> query ("select 'pay' from '". $ db_config ["def"]. "company_statis 'where' uid' = '". $ userid. "'"); // read others' account balance using a forged uid $ company_statis = mysql_fetch_array ($ c_ SQL ); if ($ company_statis ['pae']> = $ row ['order _ price']) {// if the account balance is greater than the payment amount $ up_ SQL = $ db-> query ("Update '". $ db_config ["def"]. "company_statis 'set 'pay' = 'pay '-'". $ row ['order _ price']. "'where' uid' = '". $ userid. "'"); // use a forged uid to pay for mysql_fetch_array ($ up_ SQL); $ up_order = $ db-> query ("Update '". $ db_config ["def"]. "company_order 'set' order _ price' = '0 '". $ invoice_title. "where 'order _ id' = '". $ row ['order _ id']. "'"); mysql_fetch_array ($ up_order); $ price = $ row ['order _ price'];} else {// if the account balance is less than the payment amount $ price = $ company_statis ['pay']; $ up_ SQL = $ db-> query ("Update '". $ db_config ["def"]. "company_statis 'set' pay' = '0' where 'uid' = '". $ userid. "'"); // directly clear the account balance bit 0 $ up_ SQL _status = mysql_fetch_array ($ up_ SQL); $ up_order = $ db-> query ("Update '". $ db_config ["def"]. "company_order 'set' order _ price' = 'order _ price '-'". $ price. "'". $ invoice_title. "where 'order _ id' = '". $ row ['order _ id']. "'"); mysql_fetch_array ($ up_order );}

Test process:

Register an account test2 with a sufficient balance of 100:

 



Register an account test5 and submit an order:
 

 



During payment, change the uid in the cookie to the uid of test2:
 



Payment successful through test2:
 







If the account balance is less than the payment amount, the account balance will be reset to 0, test5 submit an order with a high price for test2 to pay

Change uid to test2 when the packet is captured.





Consumption record of test2:

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.