Phpyun design defects can be paid by other account money, clear other account money to 0

Phpyun design defects can be paid by other account money, clear other account money to 0

When processing the order, the background directly obtains the uid in the cookie. This uid can be forged into another person's uid, resulting in payment by another person's money.
After testing, although you cannot earn the points successfully paid, you can deduct others' account balance.

Vulnerability file \ api \ tenpay \ index. php:

 

$ SQL = $ db-> query ("select * from '". $ db_config ["def"]. "company_order 'where' order _ id' = '$ _ POST [dingdan]'"); $ row = mysql_fetch_array ($ SQL ); // obtain the order price by Order Number $ userid = (int) $ _ COOKIE ['uid']; // obtain the uid in the cookie, this uid can be forged into another user's uid !!!! If ($ _ POST ['balance '] & $ userid) {$ c_ SQL = $ db-> query ("select 'pay' from '". $ db_config ["def"]. "company_statis 'where' uid' = '". $ userid. "'"); // read others' account balance using a forged uid $ company_statis = mysql_fetch_array ($ c_ SQL ); if ($ company_statis ['pae']> = $ row ['order _ price']) {// if the account balance is greater than the payment amount $ up_ SQL = $ db-> query ("Update '". $ db_config ["def"]. "company_statis 'set 'pay' = 'pay '-'". $ row ['order _ price']. "'where' uid' = '". $ userid. "'"); // use a forged uid to pay for mysql_fetch_array ($ up_ SQL); $ up_order = $ db-> query ("Update '". $ db_config ["def"]. "company_order 'set' order _ price' = '0 '". $ invoice_title. "where 'order _ id' = '". $ row ['order _ id']. "'"); mysql_fetch_array ($ up_order); $ price = $ row ['order _ price'];} else {// if the account balance is less than the payment amount $ price = $ company_statis ['pay']; $ up_ SQL = $ db-> query ("Update '". $ db_config ["def"]. "company_statis 'set' pay' = '0' where 'uid' = '". $ userid. "'"); // directly clear the account balance bit 0 $ up_ SQL _status = mysql_fetch_array ($ up_ SQL); $ up_order = $ db-> query ("Update '". $ db_config ["def"]. "company_order 'set' order _ price' = 'order _ price '-'". $ price. "'". $ invoice_title. "where 'order _ id' = '". $ row ['order _ id']. "'"); mysql_fetch_array ($ up_order );}

Test process:

Register an account test2 with a sufficient balance of 100:

 

Register an account test5 and submit an order:
 

 

During payment, change the uid in the cookie to the uid of test2:
 

Payment successful through test2:
 

If the account balance is less than the payment amount, the account balance will be reset to 0, test5 submit an order with a high price for test2 to pay

Change uid to test2 when the packet is captured.

Consumption record of test2: