??Swap the CardGate Gateway API to receive all the payments from target store

Thread starter Abraham_Lincoln
Start date Jan 27, 2025
Tags

payment gateway exploits payment gateway vulnerabilities

Abraham_Lincoln

t.me/lincolnlegit

Elite

Premium

Jan 27, 2025

#1

Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):

To view the content, you need to Sign In or Register.

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

t.me

Telegram: Contact @cndbank

t.me

Last edited: Jan 27, 2025

Abraham_Lincoln

t.me/lincolnlegit

Elite

Premium

Jan 27, 2025

#2

Wrong section, I am not sure but I think the thread should be here instead :

Cybersecurity & Exploit Development

crdpro.cc

D

Dimpuls_97

Premium

Jan 28, 2025

#3

i find this fascinating but i’m not going to lie i have no idea who to carry out something like this. i’m keen to learn though. where do i start?

kardachev

Premium

Jan 28, 2025

#4

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

need that code haha

kardachev

Premium

Jan 28, 2025

#5

Dimpuls_97 said:
i find this fascinating but i’m not going to lie i have no idea who to carry out something like this. i’m keen to learn though. where do i start?

check his channel:

t.me

Telegram: Contact @cndbank

t.me

Idman007

Active Carder

Jan 29, 2025

#6

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

C

carder2025

Active Carder

Feb 3, 2025

#7

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

ty

C

crazywally

Active Carder

Feb 3, 2025

#8

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

Report

F

fxckthafedzz

Carding Novice

Feb 3, 2025

#9

sweeeet

M

mtnak7

Basic

Feb 3, 2025

#10

hm

S

Seboxxx

Active Carder

Feb 3, 2025

#11

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

Thank you brother

P

pajama5

Carding Novice

Feb 4, 2025

#12

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

Dope! Thanks!

P

Playboibb

Active Carder

Feb 10, 2025

#13

nice

P

pdlzi

Carding Novice

Mar 12, 2025

#14

pohuy me ya absolute

G

gandu420

Carding Novice

Mar 20, 2025

#15

ty

F

firebladekld

Carding Novice

Mar 23, 2025

#16

nice

J

Jayrush7

Carding Novice

Mar 25, 2025

#17

Definitely want to learn more about this

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

definitely looking forward to learning some of these new skills

H

highzak222

Carding Novice

Mar 26, 2025

#18

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

hi

P

petlove

Active Carder

Mar 26, 2025

#19

Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

thanks

K

kingskams

Carding Novice

Apr 12, 2025

#20

Abraham_Lincoln said:
View attachment 52902Sharing a good method that still works on some stores that use the card gate gateway(typically used by invision forums):
Lack of origin authentication (CWE-346) at IPN callback processing function allow (even unauthorized) attacker to remotely replace critical plugin settings (merchant id, secret key etc) with known to him and therefore bypass payment process (eg. spoof order status by manually sending IPN callback request with a valid signature but without real payment) and/or receive all subsequent payments (on behalf of the store).

Usage:
1. Change values of the constants (see below for TARGET & ORDER*)
2. Host this script somewhere (must be bulletproof vps or cpanel from Https://blacknic.pro)
3. Register a merchant at https://cardgate.com
4. Sign into "My CardGate" dashboard
5. Add fake site or choose existing one
6. Click "Setup your Webshop" button in site preferences
7. Paste the URL of this script into the pop-up window and click "Save"
8. The target store the settings of your site, enjoy :]

Note: It works perfectly in both Staging and Live modes, regardless of the current mode of the target shop.

Script (save it as gateway.php in a publicly accessible folder with permission 775):
*** Hidden text: cannot be quoted. ***

To run it, go to your-url.tld/gateway.php
If you have questions like… ?HOW TO FIND MANY POTENTIAL TARGETS? dm or contact my support:

Telegram: Contact @cndbank

t.me

..
L

You must log in or register to reply here.

Share:

Join our friendly and supportive carding forum – discussion, tips, and resources.
Visit the forum here

CrdPro Weekly Free Roulette – Join and Win! Every Monday!

Top Bottom