Vulnerability environment
laravel 6.20.15
mysql 5.5
PHP Version 7.3.13
用户属性 brokerage_amount / amount 在MYSQL中类型同为 int(11)
Vulnerability source code
public function Convert(Request $request)
{
$user = User::find($request->session()->get('id'));
if (!$user) {
$this->error(500, '该用户不存在');
}
if ($request->input('brokerage_amount') <= 0) {
$this->error(500, '参数错误');
}
if ($request->input('brokerage_amount') > $user->brokerage_amount) {
$this->error(500, '佣金余额不足');
}
$user->brokerage_amount = $user->brokerage_amount - $request->input('brokerage_amount');
$user->amount = $user->amount + $request->input('brokerage_amount');
if (!$user->save()) {
$this->error(500, '划转失败');
}
return response([
'data' => true,
'now_brokerage_amount' => $user->brokerage_amount,
'now_amount' => $user->amount
]);
}
trigger method
Controllable parameter: brokerage_amount I set it to 0.499999999999999 After submission, $user->brokerage_amount has not decreased. But $user->amount will increase by 1.
effect animation
postscript
Changing the brokerage_amount and amount in the MYSQL type to float can be calculated correctly.
The brokerage_amount is reduced by 0.5 once and the amount is added by 0.5 once
Then change the MYSQL type to float(11) and the brokerage_amount will be reduced by 1 at a time without changing the amount.