出现漏洞源码

    public function Convert(Request $request)
    {
        $user = User::find($request->session()->get('id'));
        if (!$user) {
            $this->error(500, '该用户不存在');
        }
        if ($request->input('brokerage_amount') <= 0) {
            $this->error(500, '参数错误');
        }
        if ($request->input('brokerage_amount') > $user->brokerage_amount) {
            $this->error(500, '佣金余额不足');
        }
        $user->brokerage_amount = $user->brokerage_amount - $request->input('brokerage_amount');
        $user->amount = $user->amount + $request->input('brokerage_amount');
        if (!$user->save()) {
            $this->error(500, '划转失败');
        }
        return response([
            'data' => true,
            'now_brokerage_amount' => $user->brokerage_amount, 
            'now_amount' => $user->amount
        ]);
    }

触发方法

可控参数: brokerage_amount 我设为0.499999999999999 提交后 ,$user->brokerage_amount 并没有减少. 可是 $user->amount 会加1.

效果动画

标签：有意思,浮点数,request,漏洞,amount,user,input,brokerage,500
来源： https://blog.csdn.net/meinaozi/article/details/113845587