Been working on a webpage with
running PHP/7.3.14
running nginx/1.16.1
Any Web Hacking Expert Who Can Exploit a PHP Website with the running php & nginx versions
What Will Be Your Role?
check for unpatched PHP unserialize vulns, or path traversal via NGINX misconfigs also look for exposed .git, backup files, or misconfigured vhosts. If Redis is open on default port or not password protected, it's game over.
Could be low-effort opsec all around. Worth probing quietly.
Payment Terms;
Regarding payments,
There will be two splits
- I want you show me a live manipulation, change the numbers or preset them before they are on the page
So this will confirm you have full control over the results
Which will release the first half of the payments
And regarding the second half either you can make a control panel for me to set the numbers myself
Delivering it will release the second half
Bonus;
Payments will be Released For The Work + I Will Be Offering Monthly Margins From My Work Every Month So You Can Maintain The Exploit And Keep Updating it
How Much Are We Talking About?
$1500 Per Split & Monthly Margins As Per Our Growth
Target Analysis:
It is a result page which draws numbers
The site is built on EOL php and is running on nginx EOL version as well, I want to achieve RCE which in the end could result in getting a shell onto the server that hosts the site. With this I want you to make a panel to potentially exploit the content that is loaded onto the site
Extras;
By analyzing the behavior of the site, I was able to demonstrate that the data displayed on the front-end ( drawing results such as 233-82-336 ). The site's back-end server uses an unofficial client, listen to incoming messages, parse the results, and inject them into a database or cache (probably Redis).
Technical steps of the analysis
1. Observation of data patterns
By observing several pages of the site, we consistently find strings like:
KALYAN: 233-82-336
SRIDEVI: 137-14-257
The format is constant, indicating automated parsing.
2. Network inspection
The site does not make any visible external API calls to fetch the results.
The results appear synchronously, suggesting a real-time feed from an external source.
There is no public WebSocket or call to a public database → thus, it is a private source + hidden back-end.
running PHP/7.3.14
running nginx/1.16.1
Any Web Hacking Expert Who Can Exploit a PHP Website with the running php & nginx versions
What Will Be Your Role?
check for unpatched PHP unserialize vulns, or path traversal via NGINX misconfigs also look for exposed .git, backup files, or misconfigured vhosts. If Redis is open on default port or not password protected, it's game over.
Could be low-effort opsec all around. Worth probing quietly.
Payment Terms;
Regarding payments,
There will be two splits
- I want you show me a live manipulation, change the numbers or preset them before they are on the page
So this will confirm you have full control over the results
Which will release the first half of the payments
And regarding the second half either you can make a control panel for me to set the numbers myself
Delivering it will release the second half
Bonus;
Payments will be Released For The Work + I Will Be Offering Monthly Margins From My Work Every Month So You Can Maintain The Exploit And Keep Updating it
How Much Are We Talking About?
$1500 Per Split & Monthly Margins As Per Our Growth
Target Analysis:
It is a result page which draws numbers
The site is built on EOL php and is running on nginx EOL version as well, I want to achieve RCE which in the end could result in getting a shell onto the server that hosts the site. With this I want you to make a panel to potentially exploit the content that is loaded onto the site
Extras;
By analyzing the behavior of the site, I was able to demonstrate that the data displayed on the front-end ( drawing results such as 233-82-336 ). The site's back-end server uses an unofficial client, listen to incoming messages, parse the results, and inject them into a database or cache (probably Redis).
Technical steps of the analysis
1. Observation of data patterns
By observing several pages of the site, we consistently find strings like:
KALYAN: 233-82-336
SRIDEVI: 137-14-257
The format is constant, indicating automated parsing.
2. Network inspection
The site does not make any visible external API calls to fetch the results.
The results appear synchronously, suggesting a real-time feed from an external source.
There is no public WebSocket or call to a public database → thus, it is a private source + hidden back-end.
