Vulnerability Hunter,Owner website yang tersenarai tolong semak-semak yer..

Recommended Brokers


Latest Threads

Joker_

Fun Poster
Joined
Apr 21, 2014
Messages
103
Reaction score
0
Points
10
Harap maklum,dari hasil 'hunting',website-website yang tersenarai kat bawah ni terdedah untuk di exploit.

Aim : Online shop that selling Electronic Product such as E-Book,Sofware and Membership using Paypal.

Vulnerability Found :
Paypal Direct Payment

Keyword : "return to merchant","back to merchant","serta merta","gain access immediately"

Vulnerability Case : The attacker can get the product or membership without paying full price.

List site :
http://www.rahsiapenulis.com
http://www.perolehankerajaan.com
http://www.rahsiarezeki.com
http://rahsiamagnetduit.com
http://rahsiakambing.com
http://www.sistemsaham.com
http://www.rahsiarumahlelong.com
http://www.rahsiataobao.com
http://www.kitforex.com
http://www.panduan-asas-forex.com
http://www.duitfiverr.com
http://www.rajaadsense.com
http://www.maskahwin.com

Macammana aku nak terangkan ni erk....~X(
Mule-mule yang ni dululah :

Client = Pay = We Receive = We give download link

Ada kalangan seller tak nak upload e-product diorang kat server untuk mengelakkan buyer sebarkan link download,ataupun hacker exploit link download,so jadinya

Client = Pay = We Receive = We give our product through email

Kat atas ni penerangan antara direct buyer ngan seller.Maknenyer antara 2 manusia.Kalau si buyer tak bayar,si seller takkan kasi barang,kalau si seller letak harga RM60,si buyer kene bayar RM60 baru dapat barang.

Sama jugak kes kalau gune Paypal direct payment :

Client = Pay = Paypal Receive = Client automatically get download link/email respons


TETAPI,yang ni susah nak ku terangkan...~X(

Aku sebagai "Client".
Si seller ni pulak buat autopilot,means if i make a payment to their paypal account,after the payment i will get the download link,information,email,etc.

Clue = after the payment,bermaksud buat saje payment,kite terus akan dapat download link,information ataupun email mengenai e-product tersebut.

Logiknye walau bayar 0.01 pon dah dianggap payment betul tak ? :)):))

Before Server A send to Server B,test out either Server A have checksum,if no checksum,edit the POST before the parameter reach at Server B.

Satu contoh vulnerability,website jual sofware gune payment success = get product

Total price = 129.50


Pay 0.01 (Like i said,0.01 sudah dianggap payment betul tak?)


Instant download link + Serial Number~X(


Sape-sape yang nak copy serial number tu dah terlambat...Aku dah notify owner website.Serial tu dah kene cancel.:))

Checksum check


Untuk owner website,agak susah untuk aku terangkan disebabkan aku tak cukup pengetahuan lagi.Aku sarankan,yang nak gune paypal ni,jangan terus bagi direct download,buat pengesahan dulu.Manual lagi selamat.:)paid

Ade sape2 nak tambah website untuk tujuan vulnerability tester boleh post kat sini...
 
Last edited:
Sponsored Post

jom

Active+ Member
Joined
Jun 18, 2012
Messages
2,566
Reaction score
69
Points
30
maknenye untuk tipu penjual la iyee ???
huhuuhuuu
 

Joker_

Fun Poster
Joined
Apr 21, 2014
Messages
103
Reaction score
0
Points
10
maknenye untuk tipu penjual la iyee ???
huhuuhuuu
Kalau gune manual payment "selagi seller tak dapat duit,selagi tu la seller takkan bagi barang".

Tapi kalau auto payment ni,

Si pembeli bukan berurusan langsung dengan seller tapi ngan "Robot".

Sape pandai main ngan "robot" ni memang senanglah nak bypass payment.
 

Syedz

CG Top Poster Club
Joined
Dec 23, 2008
Messages
21,898
Reaction score
94
Points
125
Kalau gune manual payment "selagi seller tak dapat duit,selagi tu la seller takkan bagi barang".

Tapi kalau auto payment ni,

Si pembeli bukan berurusan langsung dengan seller tapi ngan "Robot".

Sape pandai main ngan "robot" ni memang senanglah nak bypass payment.

baru paham, x sangka ada jugak kelemahan di situ..
 

myroadtax.com

CG Top Poster Club
Platinum Member
Joined
Feb 12, 2014
Messages
25,863
Reaction score
573
Points
161
Kalau programmer malas atau kurang pengetahuan, maka exploit begini memang mudah sangat.
 

monster_forex

Active+ Member
Joined
Nov 16, 2006
Messages
4,542
Reaction score
26
Points
30
aikk..... bukan paypal dah patch ke vuln nie ???

ker ada lagi web yg pakai code lama, sebb tu boleh bypass lagi...
 
Sponsored Post
Top
Log in Register