Hacking into Scammers Portal
Last night one of my friend Shivanshu , shared a link in our Whatsapp group which was a phishing link he received from a girl on his Instagram. π
The attackers was using these phishing pages for hacking into FB/Insta/Twitter/Steam etc accounts and later messages their relatives and friends asking for money .
Since messages were coming from the main accounts people used to send money to their paypal/Gpay numbers.
So me and Shivanshu decided to check these links and look for some info using OSINT techniques.
When inspecting the links we found that the attackers had made phishing pages for almost all social platforms π
Upon checking the parameters and directory we found directory listing was enabled and the admin of these phishing pages have uploaded phishers of all platforms in a zip and forgot to delete the zip xD
On checking the files we found that all details are being send to a single website.
https://www.smikta.info/live.php
On checking the website we found thatβs its an entire CMS for scammers used for phishing for almost all social platforms ;-;
While we were checking the parameters we found an SQLI on an insert query. xD
So coming to SQLI we noticed that every phishing link has a parameter profileid which was unique for users registered on this website so that they can receive the details in the website portal.
So we thought why not cracking into the attacker accounts and check whats in there?
I did an XPATH injection using extractvalue but there was a waf so i used old comment way to bypass the StackPath Waf .
Checking the User Count (Scammers Count) on Website
Payload-email=ad&pwd=sdsd&ramadhan=780169154.php?profileid%3DMWNjNjhiMjM4MTg0NjVhOTk2ZGY%3Dβ and Extractvalue/**/(1,make_set(511,1,(select count(user_email) from Hemza_users limit 0,1)))/**/and ββ,ββ)%23
Wew 15,74,016
Nothing much just 15 lakhs(1.5 M) user details of scammers π
Lets find our guy
Payload-email=ad&pwd=sdsd&ramadhan=780169154.php?profileid%3DMWNjNjhiMjM4MTg0NjVhOTk2ZGY%3Dβ and Extractvalue/**/(1,make_set(511,1,(select user_email from Hemza_users where user_id =β779858668' limit 0,1)))/**/and ββ,ββ)%23
We found the email,username and cracked the password and was able to login into his account π
Arushhrt:jsumitk@gmail.com:password(hidden)
This guy had 75xx details of accounts through his phishing pages .
And in last 24 hours -100
Wait this was just from a single account on the website how about in the entire website database xD ?
Lets check
49,04,464(4.9 Millions and still going)
Why not check for admin details of Website?
Admin Email-admin@arspam.com
Admin Username- HemzaPM
Scamming Website www.smikta.net
This Website even has a fb page with 82K followers π
We even log into his account and checked, admin receives details of every user who falls into trap of any user phishing page.
Just think an entire CMS dedicated to Phishing and scamming .
Anyway we have nothing to do with victims or attackers data , just be safe with these links.
