HEX
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.30
System: Linux iZj6c1151k3ad370bosnmsZ 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User: root (0)
PHP: 7.4.30
Disabled: NONE
$ pwd: /var/www/html/breadsecret.com_bak20260330/qfpay/
Upload Files
File: /var/www/html/breadsecret.com_bak20260330/qfpay/payment.php
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>breadsecret.com Checkout</title>
</head>
<body> 
 <a id="standard">Go To Payment - #<?=$_GET['order_id'];?></a>
 <br>
 <a id="pay_success" href="https://test.breadsecret.com/qfpay/payment_success.php">Success Page</a>
 <br>
 <a id="pay_fail" href="https://test.breadsecret.com/qfpay/payment_fail.php">Fail Page</a>
 <br>
 <a id="pay_notify" href="https://test.breadsecret.com/qfpay/payment_notify.php">Notify Page</a> 

</body>
<script src="https://cdn.bootcss.com/blueimp-md5/2.10.0/js/md5.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-sha256/0.9.0/sha256.min.js"></script>
<script> 

function makeid(length) {
    let result = '';
    const characters = '0123456789';
    const charactersLength = characters.length;
    let counter = 0;
    while (counter < length) {
      result += characters.charAt(Math.floor(Math.random() * charactersLength));
      counter += 1;
    }
    return result;
}



window.onload = function(){

  var order_id = '<?=$_GET['order_id'];?>'

  console.log(order_id)

  var amountString = '<?=$_GET['amount']*100;?>'
  var today = new Date();
  var timeString = today.getFullYear() + "-" +
  ("00" + (today.getMonth() + 1)).slice(-2) + "-" +
  ("00" + today.getDate()).slice(-2) + " " +
  ("00" + today.getHours()).slice(-2) + ":" +
  ("00" + today.getMinutes()).slice(-2) + ":" +
  ("00" + today.getSeconds()).slice(-2)

  var outTradeNo = makeid(20)

  let standard = document.getElementById('standard')
  let origin = 'https://openapi-hk.qfapi.com/checkstand/#/?'
   let obj = {
    appcode: "FB39698329554171A179031DCAE6EEE7",
    goods_name: "BSB Products",
    out_trade_no: outTradeNo,
    paysource: "remotepay_checkout",
    return_url: "https://test.breadsecret.com/qfpay/payment_success.php?source=bsb&type=order&id="+order_id+"&ref_no="+outTradeNo+"&gw_url="+origin,
    failed_url: "https://test.breadsecret.com/qfpay/payment_fail.php?source=bsb&type=order&id="+order_id+"&ref_no="+outTradeNo+"&gw_url="+origin,
    notify_url: "https://test.breadsecret.com/qfpay/payment_notify.php?source=bsb&type=order&id="+order_id+"&ref_no="+outTradeNo+"&gw_url="+origin,
    sign_type: "sha256",
    txamt: amountString.toString(2),
    txcurrcd: "HKD",
    txdtm: timeString
   }

   let api_key = "C5856334C6624CEBB1A5C7307718E93D"
   let params = paramStringify(obj) 
   let sign = sha256(`${params}${api_key}`)

   //console.log(obj.out_trade_no);
   console.log(obj.return_url);
   //console.log(obj.txamt);
   //console.log(obj.txdtm);

   var url = `${origin}${paramStringify(obj,true)}&sign=${sign}`
   
   //standard.setAttribute('href', `${origin}${paramStringify(obj,true)}&sign=${sign}`)
   //standard.click();
   
   window.location.href = url
}   

function paramStringify(json,flag) {
  let str = "";
  let keysArr = Object.keys(json);
  keysArr.sort().forEach(val => {
    if (!json[val]) return;
    str += `${val}=${flag ? encodeURIComponent(json[val]) : json[val]}&`;
  });
  return str.slice(0, -1);
}

</script>
</html>
@ Telegram