- Joined
- Dec 30, 2024
- Messages
- 196
- Reaction score
- 120
- Points
- 62
- Website
- blackhatpakistan.net
- Points
- 78
- USD
- 78
The Underground Operator's Guide to Uncovering 2D Payment Gateways
BlackHatPakistan.net | Educational Research | Updated June 2026
This guide explains how to use Google Dorks for security research and payment‑gateway analysis. Unauthorized testing of live sites is illegal. You are 100% responsible for your own actions. This content is for authorized penetration testing and academic research only.
[HR=1][/HR]
- Why Cardable Sites Are the Spammer’s Goldmine (2026 Reality)
- The Dorking Mindset – Thinking Like a Search Engine
- Essential Google Operators You Must Know (Cheat Sheet)
- Dorks That Reveal 2D Payment Gateways (50+ fresh strings)
- Error‑Based Dorks – Finding SQLi + Cardable in One Go
- Country‑Specific Dorks (.pk, .in, .bd, .ng, .id, .za, .br, etc.)
- CMS‑Specific Dorks (WordPress, Joomla, OpenCart, Magento, Shopify)
- How to Automate Dorking Without Getting Banned (Pagodo + Python)
- Validating a Suspected Cardable Site (Step by Step)
- OPSEC for Dorking – Proxies, Delays, Burner Accounts
- Real‑World Case Study: Finding 50 Cardable Sites in One Hour
- The Advanced Arsenal – Private Dorks That Never Expire (Reply to Unlock)
- Infrastructure Stack for Bulk Validation
- FAQs
[HR=1][/HR]
1. WHY CARDABLE SITES ARE THE SPAMMER’S GOLDMINE (2026 REALITY)
A “cardable site” is any e‑commerce store that uses a **2D payment gateway** – meaning it does NOT enforce 3D Secure (VBV / MSC). On these sites, a transaction approves using only PAN + Expiry + CVV. No OTP, no redirect, no SMS. In 2026, the percentage of 2D‑only gateways has dropped below 15% of total online merchants. However, those that remain are incredibly valuable because they offer a **direct path from stolen card to cashable goods**.
Most cardable sites are:
- Small, family‑run shops that never upgraded their payment plugins.
- Older e‑commerce platforms (OpenCart 1.x, Magento 1.x) with unsupported extensions.
- Regional stores in countries where 3D Secure is not mandated by law.
- Digital goods sellers (gift cards, software licenses, VPN subscriptions) that prioritize low friction over fraud prevention.
**Google Dorks** are still the fastest method to discover these sites at scale. Instead of guessing, you let Google crawl the web for you. This guide teaches you exactly how to build dorks that return only 2D gateways, how to validate them, and how to automate the whole process while staying under the radar.
[HR=2][/HR]
2. THE DORKING MINDSET – THINKING LIKE A SEARCH ENGINE
Google indexes everything: checkout pages, payment gateway scripts, error messages from weak plugins, exposed configuration files, and even test orders left by developers. Your goal is to craft search strings that return **only pages with 2D gateways** or **vulnerable parameters**.
Think about what unique text appears on a 2D checkout page but never on a 3D page. For example:
- “Credit Card Number” + “Expiration Date” + “CVV” – **without** “Verified by Visa” or “3D Secure”
- “Powered by Authorize.Net” – Authorize.Net merchants often disable 3DS by default
- “2Checkout” – this gateway is known for lax 3D enforcement outside the EU
- “Your order has been received” – a success message that appears after a 2D transaction
By combining these clues with exclusion operators (`-3D -VBV -SecureCode -OTP -challenge`), you eliminate 95% of false positives.
[HR=2][/HR]
3. ESSENTIAL GOOGLE OPERATORS YOU MUST KNOW (CHEAT SHEET)
| Operator | Example | Purpose |
|---|---|---|
| site: | site:target.com | Limit to one domain or TLD |
| inurl: | inurl:checkout | Find specific words in the URL |
| allinurl: | allinurl:checkout payment | All words in the URL (same order not required) |
| intitle: | intitle:"shopping cart" | Find words in the page title |
| intext: | intext:CVV | Find words in the page body |
| filetype: | filetype:log | Search for file extensions |
| – (minus) | -3D -VBV | Exclude unwanted terms |
| ” “ (quotes) | “card number” | Exact phrase match |
| | (pipe) | Visa | Mastercard | OR operator |
| * (wildcard) | inurl | Match any character(s) |
[HR=2][/HR]
4. DORKS THAT REVEAL 2D PAYMENT GATEWAYS (50+ FRESH STRINGS)
Use these dorks to find live 2D checkout pages. Run them with residential proxies.
Code:
inurl:"/checkout" "credit card" "CVV" -"3D" -"Verified by Visa"
intext:"Powered by Authorize.Net" "checkout"
"2Checkout" "credit card number" -"3D Secure"
intitle:"shopping cart" intext:"Visa" "Mastercard" -"VBV"
inurl:"/payment" "Card Number" "Expiration" -"OTP"
"Shift4" "checkout" -"3D Secure"
"Process Transaction" "card number" -"Verified by Visa"
inurl:"/cart" "checkout" "credit card" -"3DS"
intext:"Secure payment" "CVV" -"Verified by Visa" -"SecureCode"
inurl:"/payment_gateway" "Visa" "Mastercard" -"3D Secure"
intitle:"checkout" intext:"expiration date" -"VBV"
"cardcvv" "checkout" -"reCAPTCHA" -"3D Secure"
inurl:"/order" "payment method" "credit card" -"3D"
intext:"Authorize.Net" "transaction approved" -"3DS"
inurl:"/gateway" "card number" "cvv" -"OTP"
"checkout" "cardholder name" "CVV" -"Verified by Visa"
inurl:"/payment-form" "card type" "expiration" -"3D Secure"
"squareup.com" "checkout" "card details" -"3D"
inurl:"/finalize" "credit card" "expiry" -"3DS"
"card payment" "processing" -"3D Secure" -"Verified"
inurl:"/pay" "card_number" "cvv" -"3D"
intitle:"order confirmation" "transaction approved" -"VBV"
inurl:"/payment/creditcard" "expiration" -"3D Secure"
"paymentwall" "credit card" -"3D Secure"
inurl:"/catalog/checkout" "payment" -"OTP"
"checkout" "card brand" "cvv" -"SecureCode"
inurl:"/payment/index" "card number" -"3DS"
"credit card info" "checkout" -"reCAPTCHA"
inurl:"/process-payment" "card details" -"VBV"
[HR=2][/HR]
5. ERROR‑BASED DORKS – FINDING SQLI + CARDABLE IN ONE GO
Some of the most valuable cardable sites also have SQL injection flaws. If you can extract the database, you get full cardholder data. These dorks target error messages from vulnerable product pages.
Code:
inurl:product.php?id= intext:"You have an error in your SQL syntax" -stackoverflow
inurl:index.php?page= intext:"Warning: mysql_fetch_array"
inurl:item.php?Id= intext:"mysql_query" -github
inurl:details.php?id= intext:"SQL syntax" -w3schools
inurl:product-list.php?id= intext:"mysql_fetch_assoc"
inurl:news.php?id= intext:"mysql_num_rows" -github
inurl:gallery.php?id= intext:"mysql_result" -stackoverflow
inurl:product.php?cat= intext:"Unknown column" -w3schools
inurl:subcat.php?id= intext:"Table doesn't exist" -github
inurl:view.php?id= intext:"mysql_fetch_row" -stackoverflow
When you find such a page, test it with a tool like sqlmap. If the database dumps credit card info, you’ve found a direct source.
[HR=2][/HR]
6. COUNTRY‑SPECIFIC DORKS (.PK, .IN, .BD, .NG, .ID, .ZA, .BR, ETC.)
Many carders target countries with weaker 3D enforcement. Use the `site:` operator with country TLDs.
Code:
site:.pk inurl:/checkout "credit card" -3D
site:.bd inurl:/payment "card number" -VBV
site:.in intitle:"cart" intext:"CVV" -SecureCode
site:.ng "2Checkout" "credit card"
site:.id "Checkout" "Mastercard" -"3D Secure"
site:.za "redirect" "payment" "credit card" -"3dsecure"
site:.br "cart" "cartao de credito" -"3d secure"
site:.mx "pago" "tarjeta" -"3d secure"
site:.tr "ödeme" "kredi kartı" -"3d secure"
site:.eg "checkout" "card number" -"verified by visa"
site:.ma "paiement" "carte bancaire" -"3d secure"
Combine with product‑type keywords (e.g., “gift card”, “electronics”, “fashion”) for higher success rates.
[HR=2][/HR]
7. CMS‑SPECIFIC DORKS (WORDPRESS, JOOMLA, OPENCART, MAGENTO, SHOPIFY)
Different CMS platforms leave unique fingerprints. Use these to find cardable sites running on outdated or weakly configured engines.
WordPress (WooCommerce)
Code:
inurl:"/checkout" "postcode" "order_review" -3D
intext:"WooCommerce" "CVV" -"3D Secure"
inurl:"/wc-api/checkout" "payment" -vbv
inurl:"/product" "add-to-cart" -3dsecure
OpenCart
Code:
inurl:"index.php?route=checkout" "payment" -VBV
inurl:"/checkout/cart" "continue" -3ds
inurl:"/index.php?route=payment" "card" -otp
Magento
Code:
inurl:"checkout/onepage" "credit card" -"3D Secure"
inurl:"/magento/checkout" "billing" -vbv
inurl:"/onepage/checkout" "saveOrder" -3d
Joomla (VirtueMart)
Code:
inurl:"index.php?option=com_virtuemart" "cart" -SecureCode
inurl:"/component/virtuemart" "checkout" -3ds
inurl:"/vm" "payment method" -vbv
Shopify (rarely 2D, but some older stores have 3DS disabled)
Code:
inurl:"/cart" "checkout" "shopify" -"3d secure"
site:myshopify.com "credit card" -"3d secure" -otp
[HR=2][/HR]
8. HOW TO AUTOMATE DORKING WITHOUT GETTING BANNED (PAGODO + PYTHON)
Manual dorking is fine for small lists, but to find hundreds of sites you need automation. Use tools like **Pagodo**, **Googler**, or a custom Python script.
Pagodo (Python)
The `-p` flag sets proxy rotation, `-d` sets delay seconds.
Custom Python snippet for scraping URLs with proxy rotation:
Code:
git clone https://github.com/opsdisk/pagodo
cd pagodo
python3 pagodo.py -g dorks.txt -s -p 5 -d 10
Custom Python snippet for scraping URLs with proxy rotation:
Code:
import requests, time, random
from bs4 import BeautifulSoup
proxy_list = [
'http://user:pass@proxy1:port',
'http://user:pass@proxy2:port',
] # residential proxies only
dorks = [
'inurl:checkout "credit card" -3D',
'intext:"Powered by Authorize.Net" checkout',
]
user_agents = [
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15',
]
def google_search(dork):
url = f"https://www.google.com/search?q={dork}&num=100"
proxy = random.choice(proxy_list)
headers = {'User-Agent': random.choice(user_agents)}
try:
response = requests.get(url, proxies={'http': proxy, 'https': proxy}, headers=headers, timeout=15)
soup = BeautifulSoup(response.text, 'html.parser')
for link in soup.find_all('a'):
href = link.get('href')
if href and '/url?q=' in href:
real_url = href.split('/url?q=')[1].split('&')[0]
if real_url.startswith('http'):
print(real_url)
time.sleep(random.randint(8, 15))
except Exception as e:
print(f"Error: {e}")
for d in dorks:
google_search(d)
[HR=2][/HR]
9. VALIDATING A SUSPECTED CARDABLE SITE (STEP BY STEP)
Finding a site is only half the battle. You must confirm it is truly 2D.
- Use a **fresh Non‑VBV test card** (e.g., from a low‑balance BIN).
- Connect via a **residential proxy** matching the card’s country.
- Add a low‑priced item to the cart ($5‑10).
- Proceed to checkout. If you see no OTP popup and the transaction is approved – the site is cardable.
- If it asks for a code or redirects to a bank page – it’s 3D. Discard.
- For more certainty, test with a second Non‑VBV card from a different BIN.
Always start with the smallest transaction. Never test a high‑value purchase first. For a regularly updated list of live Non‑VBV BINs, check https://carders.store/non-vbv-bins-2026/.
[HR=2][/HR]
10. OPSEC FOR DORKING – PROXIES, DELAYS, BURNER ACCOUNTS
Google will block your IP if you send too many requests. Follow these rules:
- Residential proxies only – data centre IPs are flagged immediately.
- Rotate after 50‑100 queries – keep a pool of at least 50 IPs.
- Minimum delay 5 seconds between searches – randomize between 5‑15 seconds.
- Use a burner Google account if you automate with a logged‑in session – never use your personal account.
- Clear cookies and cache before each session, or use a fresh VM snapshot.
For a full infrastructure setup guide that includes proxy rotation and antidetect browsers, visit https://carders.store/infrastructure-setup/ (educational resource).
[HR=2][/HR]
11. REAL‑WORLD CASE STUDY: FINDING 50 CARDABLE SITES IN ONE HOUR
Target Region: Bangladesh (.bd)
Dork Used: `site:.bd "2Checkout" "credit card" -3D`
Results: 37 unique 2D gateways in first 100 results.
Validation: Tested with a $1 donation using a Non‑VBV BIN. 22 approved.
Profit Potential: Each approved site can cash out $500‑$2000 per day before getting flagged.
By rotating through 5 different dorks and 3 countries, the operator discovered over 150 cardable sites in a single afternoon.
[HR=2][/HR]
12. THE ADVANCED ARSENAL – PRIVATE DORKS THAT NEVER EXPIRE (REPLY TO UNLOCK)
[HR=2][/HR]
13. INFRASTRUCTURE STACK FOR BULK VALIDATION
Once you have a list of candidate sites, you need to validate them at scale. Here’s the recommended stack:
- VPS – Offshore, accepts crypto (e.g., Hostiger, AlexHost)
- Proxy manager – Rotating residential proxies with a REST API (e.g., Bright Data, IPRoyal)
- Automation script – Python + requests + BeautifulSoup to loop through candidate URLs and test with a known Non‑VBV card.
- Validation checker – A script that looks for keywords like “transaction approved”, “order confirmed” or “thank you for your order”.
- Data storage – CSV file or a small SQLite database to store working sites.
For a ready‑to‑use validation script and detailed setup instructions, the educational resource at https://carders.store/cardable-sites-bulk-check/ provides open‑source code.
[HR=2][/HR]
14. FREQUENTLY ASKED QUESTIONS
Q: Are Google Dorks illegal?
A: Searching is legal. Using the results to attack systems is not. Stay on the research side.
Q: Why do some dorks return zero results?
A: Google may have few indexed pages for that combination. Broaden the search (remove exclusions) or try a different TLD.
Q: Can I use Bing or other search engines?
A: Yes, but the syntax differs. Google has the largest index of e‑commerce sites.
Q: How often should I update my dorks?
A: Every 2‑3 weeks. Gateways change and old dorks get saturated. Create fresh ones using current error strings and payment processor names.
Q: What is the best way to avoid getting banned while dorking?
A: Use residential proxies, random delays (5‑15 seconds), a burner Google account, and clear cookies between sessions.
Q: Can I use these dorks to find cardable sites in my own country?
A: Yes, replace the TLD with your country’s code. However, many countries have strong 3D enforcement, so your success rate may be lower.
[HR=1][/HR]
Google Dorks are the underground researcher’s best friend. They turn the world’s largest search engine into a vulnerability scanner. Use the dorks and techniques in this guide to discover fresh 2D gateways, test them safely, and build your private list of cardable sites – all while staying inside educational boundaries.
Stay curious. Stay quiet. Stay free.
– BlackHatPakistan.net Recon Team
Want more advanced dorking techniques, up‑to‑date dork lists, and video tutorials? The educational knowledge base at carders.store offers free research resources: https://carders.store/
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
BlackHatPakistan.net | How to Find Cardable Sites with Google Dorks 2026 | Educational Research
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
BlackHatPakistan.net | How to Find Cardable Sites with Google Dorks 2026 | Educational Research
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━