### 简要描述: 系统未检查传入参数的有效性 ### 详细说明: ``` function onaliapyback() { if ($_GET['trade_status' ] == 'TRADE_SUCCESS') { $credit2 = $_GET[ 'total_fee'] * $this->setting['recharge_rate' ]; $this->credit($this-> user['uid' ], 0, $credit2, 0, "支付宝充值"); $this->message( "充值成功" , "user/score" ); } else { $this->message( "服务器繁忙,请稍后再试!" , 'STOP' ); } } ``` 直接传入total_fee既可 ### 漏洞证明: /?ebank/aliapyback.html&trade_status=TRADE_SUCCESS&total_fee=99
### 简要描述: 系统未检查传入参数的有效性 ### 详细说明: ``` function onaliapyback() { if ($_GET['trade_status' ] == 'TRADE_SUCCESS') { $credit2 = $_GET[ 'total_fee'] * $this->setting['recharge_rate' ]; $this->credit($this-> user['uid' ], 0, $credit2, 0, "支付宝充值"); $this->message( "充值成功" , "user/score" ); } else { $this->message( "服务器繁忙,请稍后再试!" , 'STOP' ); } } ``` 直接传入total_fee既可 ### 漏洞证明: /?ebank/aliapyback.html&trade_status=TRADE_SUCCESS&total_fee=99