漏洞环境
laravel 6.20.15
mysql 5.5
PHP Version 7.3.13
用户属性 brokerage_amount / amount 在MYSQL中类型同为 int(11)
出现漏洞源码
public function Convert(Request $request)
{
$user = User::find($request->session()->get('id'));
if (!$user) {
$this->error(500, '该用户不存在');
}
if ($request->input('brokerage_amount') <= 0) {
$this->error(500, '参数错误');
}
if ($request->input('brokerage_amount') > $user->brokerage_amount) {
$this->error(500, '佣金余额不足');
}
$user->brokerage_amount = $user->brokerage_amount - $request->input('brokerage_amount');
$user->amount = $user->amount + $request->input('brokerage_amount');
if (!$user->save()) {
$this->error(500, '划转失败');
}
return response([
'data' => true,
'now_brokerage_amount' => $user->brokerage_amount,
'now_amount' => $user->amount
]);
}
触发方法
可控参数: brokerage_amount 我设为0.499999999999999 提交后 ,$user->brokerage_amount 并没有减少. 可是 $user->amount 会加1.
效果动画
后记
将brokerage_amount 和 amount 在MYSQL类型修改为为float 已经能正确的计算了.
brokerage_amount 一次减少0.5 amount一次加0.5
再将MYSQL类型修改为为float(11) 则会出现 brokerage_amount 一次减少1 amount不变的效果