### 简要描述: PHPYUN逻辑错误无限积分所以标题党了一下! ### 详细说明: 逻辑错误 未对用户输入严格过滤! 问题发生在 member/model/com.class.php 1158行 ``` $integral=$this->config["integral_com_comments"]*$_POST['time']; ..... if($statis["integral"]<$integral){ $this->obj->ACT_msg("index.php?C=pay","你的".$this->config["integral_pricename"]."不足,请先充值"); } ..... $nid=$this->obj->company_invtal($this->uid,$integral,false,"购买会员等级"); .... ``` 进行找到company_invtal方法 ``` function company_invtal($uid,$integral,$auto=true,$name="",$pay=true,$pay_state=2,$type="integral"){ if($auto){ $nid=$this->DB_update_all("company_statis","`".$type."`=`".$type."`+".$integral."","uid='".$uid."'"); }else{ $nid=$this->DB_update_all("company_statis","`".$type."`=`".$type."`-".$integral."","uid='".$uid."'"); $integral="-".$integral; } if($pay){ $dingdan=mktime().rand(10000,99999); $value="`order_id`='".$dingdan."',"; $value.="`com_id`='".$uid."',"; $value.="`pay_remark`='".$name."',"; $value.="`pay_state`='".$pay_state."',"; $value.="`pay_time`='".mktime()."',";...
### 简要描述: PHPYUN逻辑错误无限积分所以标题党了一下! ### 详细说明: 逻辑错误 未对用户输入严格过滤! 问题发生在 member/model/com.class.php 1158行 ``` $integral=$this->config["integral_com_comments"]*$_POST['time']; ..... if($statis["integral"]<$integral){ $this->obj->ACT_msg("index.php?C=pay","你的".$this->config["integral_pricename"]."不足,请先充值"); } ..... $nid=$this->obj->company_invtal($this->uid,$integral,false,"购买会员等级"); .... ``` 进行找到company_invtal方法 ``` function company_invtal($uid,$integral,$auto=true,$name="",$pay=true,$pay_state=2,$type="integral"){ if($auto){ $nid=$this->DB_update_all("company_statis","`".$type."`=`".$type."`+".$integral."","uid='".$uid."'"); }else{ $nid=$this->DB_update_all("company_statis","`".$type."`=`".$type."`-".$integral."","uid='".$uid."'"); $integral="-".$integral; } if($pay){ $dingdan=mktime().rand(10000,99999); $value="`order_id`='".$dingdan."',"; $value.="`com_id`='".$uid."',"; $value.="`pay_remark`='".$name."',"; $value.="`pay_state`='".$pay_state."',"; $value.="`pay_time`='".mktime()."',"; $value.="`order_price`='".$integral."',"; if($type=="integral"){ $value.="`type`='1'"; }else{ $value.="`type`='2'"; } $this->DB_insert_once("company_pay",$value); } return $nid; } ``` 这里也没有判断正负数 直接 减。。。 ### 漏洞证明: 访问 /member/index.php?C=buyvip [<img src="https://images.seebug.org/upload/201401/161559001fbed2328a0f2b77219d3e042c35cd30.jpg" alt="phpyun_bug4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/161559001fbed2328a0f2b77219d3e042c35cd30.jpg) [<img src="https://images.seebug.org/upload/201401/161559103044e0db5388054eecfa214d8110f9c9.jpg" alt="phpyun_bug5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/161559103044e0db5388054eecfa214d8110f9c9.jpg) [<img src="https://images.seebug.org/upload/201401/161559192ef1b9e21d1543ebb215340218645834.jpg" alt="phpyun_bug6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/161559192ef1b9e21d1543ebb215340218645834.jpg)
