How could bypass the check and steal the funds?

Question

Guys, welcome. There was a situation on the site that one of the users was able to bypass the check and steal funds. After viewing, I saw that the user had a negative balance in the database. Please help and make the thought in advance very grateful.

PHP:

$user = mysqli_fetch_assoc(mysqli_query($CONNECT, "SELECT * FROM `users` WHERE `login` = '$_SESSION[USER_LOGIN]'"));// сессия присваивается после авторизации $balance = $user['balance'];//переменная с данными пользователя if ( isset($_POST['cashout']) ) { if ( $_POST['amount'] >= 10 ) { if ( $_POST['amount'] <= $balance ) { // Здесь скрипт выполняющий вывод средств и обновляющий баланс в БД $balance_res = $balance - $_POST['amount']; mysqli_query($CONNECT, "UPDATE `users` SET `balance` = $balance_res WHERE `id` = '$us_id'"); MessageSend(2, 'Средства успешно выведены', '/cashout'); } else { MessageSend(1, 'Недостаточно средств', '/cashout'); } } else { MessageSend(1, 'Минимальная сумма 10 рублей.', '/cashout'); } }

The form:

 <form action="/cashout" method="POST"> Кому: <input type="text" class="form-control" name="payeer" placeholder="Payeer кошелек"> Сколько: <input type="number" name="amount" class="form-control" placeholder="Сумма в рублях"> <input type="submit" name="cashout" value="Cash Out"> </form>

UUUU, Read about SQL injection, most likely instead of a login code was entered
@Komdosh And here is SQL injection, if the balance after the withdrawal of a person was negative.
Good question, except for injections, while nothing comes to mind, but do you keep the transaction history?
Yes, the history of these conclusions also remained on the payment.
I write there time, transaction ID on the payment, the wallet and the user.
@DanilSysoev, at the expense of SQL injection, you can write data to the cachout table from code that does not refer to it ... You believe that this code was bypassed because only this code refers to the cachout table.

Accepted Answer · 2017-10-21T17:28:43

Implicit transform types. Here is an example.

 <?php $ammount=' 050w00'; $balance='40'; //<-- важно, что это строка if($ammount>=10){ if($ammount<=$balance){ $balance=$balance-$ammount; } } print('balance:'.$balance); balance:-10

Comments are not intended for extended discussion; conversation moved to chat . - Qwertiy ♦

Answer 2 · 2017-10-21T16:52:31

It is possible to substitute session data $ _SESSION [USER_LOGIN] for another name with a positive balance and the output and update tables of your ilk are on your id.

You can not see the code when the wallet is standing in the array, $ user ['balance']

Ruslan Semenov

2,676 one five 21

In the program code $balance_res = $balance - $_POST['amount']; comes after checking if ( $_POST['amount'] <= $balance ) , so your answer shows only one of the vulnerabilities, but does not explain the negative balance ... - rugabarbo
I also thought about it and checked people with a balance of more than 1k. There were no such people. Yes, and theoretically in the project it was impossible for a user with such a balance. - youngoldman
@rugabarbo where balance_res is here, it is calculated after the withdrawal of funds, and withdrawal is possible only if the amount is higher than the user's balance with a nickname registered in the session. - Ruslan Semenov
Added just now - youngoldman

|

Farkhod Daniyarov Farkhod Daniyarov 1.569 one 9 18 · Answer 3 · 2017-10-21T17:34:00

Maybe the fact is that you do not have all this in the transaction? The user took, prepared the request, 4 pieces, they all checked the balance in one second, it is positive, and they wrote off, here you have a minus

@ DanilSysoev And this attack vector is also possible, especially if the time of the last transaction is stored in the database.
With this type of attack, we will not be able to get a negative balance.
@vitidev well, I’ll take this fact into account, and I'll try something from above.

How could bypass the check and steal the funds?

3 answers 3

More articles: