How I Hacked a Fake DMart Website and Took It Down!
1 min read
Summary
A WhatsApp forward on a fake Dhmart giveaway led cybersecurity researcher Vinay Kumar on investigating a fraudulent website.
The site was set up to steal users’ data under the premise of a rewards system.
After answering questions and selecting a gift, intruders were asked to share the scam with others on WhatsApp to “claim” the reward.
By inspecting JavaScript and modifying the code, Kumar was able to move forward with the scam without having to share the message on WhatsApp.
He was then able to obtain the site’s data and found logs of stolen user data including names, phone numbers and email addresses.
Using this Server-Side Template Injection (SSTI) vulnerability, he crafted a payload to achieve remote code execution on the server, taking over the fraudulent website and taking it down.