search

Tai7sy / card-system

卡密商城系统,高效安全的在线卡密商城
MIT License
2.79k stars 895 forks source link

每个订单在14分钟之后都会多出2个未支付订单 #585

Closed zhouzhili closed 1 year ago

zhouzhili commented 1 year ago

程序版本 3.15,使用 支付宝PC当面付 支付接口,经过观察,不管是支付了的订单还是未支付的订单,大约在14分钟后,会出现2个未支付的订单。

日志信息如下,请帮忙看下是什么问题呢,提前感谢了

[2023-06-18 10:49:54] local.ERROR: Caught a UnauthorizedHttpException {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\UnauthorizedHttpException(code: 0): Token not provided at /www/wwwroot/shop.com/vendor/tymon/jwt-auth/src/Http/Middleware/BaseMiddleware.php:2)
[stacktrace]
#0 /www/wwwroot/shop.com/app/Http/Middleware/AuthenticateToken.php(2): Tymon\\JWTAuth\\Http\\Middleware\\BaseMiddleware->checkForToken(Object(Illuminate\\Http\\Request))
#1 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): App\\Http\\Middleware\\AuthenticateToken->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#2 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#3 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#4 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Routing\\Middleware\\SubstituteBindings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#5 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#6 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#7 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Router.php(2): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#8 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Router.php(2): Illuminate\\Routing\\Router->runRouteWithinStack(Object(Illuminate\\Routing\\Route), Object(Illuminate\\Http\\Request))
#9 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Router.php(2): Illuminate\\Routing\\Router->runRoute(Object(Illuminate\\Http\\Request), Object(Illuminate\\Routing\\Route))
#10 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Router.php(2): Illuminate\\Routing\\Router->dispatchToRoute(Object(Illuminate\\Http\\Request))
#11 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(2): Illuminate\\Routing\\Router->dispatch(Object(Illuminate\\Http\\Request))
#12 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}(Object(Illuminate\\Http\\Request))
#13 /www/wwwroot/shop.com/app/Http/Middleware/CORS.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#14 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): App\\Http\\Middleware\\CORS->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#15 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#16 /www/wwwroot/shop.com/vendor/fideloper/proxy/src/TrustProxies.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#17 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Fideloper\\Proxy\\TrustProxies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#18 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#19 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#20 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#21 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#22 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#23 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#24 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#25 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#26 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#27 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#28 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#29 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Foundation\\Http\\Middleware\\CheckForMaintenanceMode->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#30 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(2): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#31 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(2): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#32 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(2): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#33 /www/wwwroot/shop.com/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(2): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))
#34 /www/wwwroot/shop.com/public/index.php(62): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#35 {main}
"} 
[2023-06-18 10:54:19] local.ERROR: Pay.AliAop.query exception: Business Failed: 交易不存在  
[2023-06-18 10:54:20] local.ERROR: Pay.AliAop.query exception: Business Failed: 交易不存在  
[2023-06-18 10:54:20] local.ERROR: Pay.AliAop.query exception: Business Failed: 交易不存在  
[2023-06-18 10:54:21] local.ERROR: Pay.AliAop.query exception: Business Failed: 交易不存在  
[2023-06-18 10:54:21] local.ERROR: Pay.AliAop.query exception: Business Failed: 交易不存在
Tai7sy commented 1 year ago

未支付订单的订单信息和之前下单的都一致吗?

zhouzhili commented 1 year ago

是的,用户填的联系方式都一直,显示未支付

zhouzhili commented 1 year ago

这是已支付的订单: image

这是未支付的订单(支付时间是取的创建时间,我自己改的) image

中间的联系方式180和124是我自己测试的未支付订单,只创建了一次订单,但是14分钟后,会几乎同时出现2个未支付订单

Tai7sy commented 1 year ago

看下下单IP吧,你可能是重放攻击的受害者

zhouzhili commented 1 year ago

看下下单IP吧,你可能是重放攻击的受害者

大佬,哪里能看到下单IP?

zhouzhili commented 1 year ago

哎,设置的自动清除了一天前的未支付订单,数据只能看到2条了,之前的都没有,这IP大佬能看下吗,重放攻击怎么防呀 image

Tai7sy commented 1 year ago

220.196.160这些前缀应该是扫描的,在重放攻击。 建议开启下单验证码

imPrk0 commented 1 year ago

疑重放攻击的理由是这些下单的订单除 IP 地址外,下单的数据几乎一致。用相同的下单数据去重复请求。 通常来说,出现的订单为未支付订单往往不会造成过大的安全威胁( 安全问题)。

为确保严谨性,我于 2023-06-26T07:25:36.072Z 搭建了一个环境,使用了最新的程式码(如果你的支付驱动和程序是 GitHub 最新的话),使用了 支付宝当面付 f2f支付宝企业 PC 分别测试,并未发现存在上述问题。

分别测试的情况为:

以此确保程式码并未出现有关问题。