How I uploaded shell to big company's site

Started by AuroINS111, Nov 24, 2022, 03:52 AM

Previous topic - Next topic

AuroINS111Topic starter

I have lost my sleep schedule again, so catch a new history from me, which happened recently.
I do web site layout, python and C/C++ orders, etc... One wonderful day, a dude knocks on my cart and asks me to make him a website.

I am a person who does not intend to throw anyone, only honest deals. Since people are often not very honest with me, I have my own method of processing orders. I make a website for a person, he uploads it to his hosting, if everything is as in the TOR, then he pays and everyone is happy. But after all, many people, after I make their order for days and nights, just come with a bunch of excuses, starting from the death of their beloved cat and ending with a phobia of html markup.
Well, I have provided for everything, I sew shell into all site assemblies, in cases of payment I cut it out, and if a person does not pay, then I may be offended)

So it happened, I made a website, I write to him, I upload it to his hosting, he changes all passwords and throws me into an emergency...naïve : z ...
I start to rummage through the backdoor on his hosting, where, in addition to sites selling plastic dildos, I find one interesting site. I won't deamonize, but the site is cool, as a developer, it would be very useful to me. "There is a place for work, and an hour for fun," I thought, downloaded this site, and instead of sites I put a picture of a hand-drawn ass with a big hello, well, right Hottaby4 of our time.

When I installed his website on hosting, I saw an error, but some strange one, it required some unknown engine that even Google could not find.
Do you think I stopped? No, I had plans for this site, I couldn't just back off.

I begin to study the entire site, its structure, and look for a hole in it.
What kind of site I realized, Googled, really,  found.
I found an off. site where this assembly is sold for $80.

I couldn't throw out 4k for this, once I started, the system is not 100% safe. I understood why the assembly was not put on my hosting, obviously there is a license binding.

Then I go to the web site and I notice that they give a sample of their site (demo) for 1 hour. This is what I needed, I write by contacts, I get a demo version, the link to which looks something like this: , that is, it is a subdomain of the main domain .
 It's wonderful, I go to the admin panel, fill in the shell and just rejoice, I have access to their 5 domains, all sites, full access to the engine and in fact I could copy this whole thing/merge/ sell/blackmail admins/ demolish everything, but I didn't do that. I saw how much effort was put into this site (quite popular) and I did not do as my, bastard, customer. I just specially lit up my mail so that the admins unsubscribed and waited.

Admins are just handsome, they unsubscribed me and fixed the bug in 5 hours, and I got a free license and helped get rid of the bug.
Therefore, put yourself in the place of others, and then you see how it turns out, the customer was left with an ass, although I did not receive payment from him, but I received it, the admins are satisfied.


The logic of the performer is a little unclear, "I made a website, uploaded it to hosting and am waiting for payment", and why not make hosting on my computer and show the customer, for example, this is what happens to me, I make a website to someone, give a link to my domain (costs a penny), and the customer is already looking at the site,
I like him paying, I give him the whole site, I don't like finishing some things, imho it's easier to do this than relying on the honesty of the customer.


I'm writing for Android and at the expense of java I can go to the desktop. For projects, you need to make websites, in general, you have to make up for yourself (for me, this is still a hassle).
I write a little on the pros for ios, but more precisely, if I say it, I study, and I don't write in a big way.

2 years have already been spent on self-study.
I think in order to say that I am fluent in this entire stack, it will take more +3 years.


There have been various IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) systems for a long time, the idea of automatically monitoring resources is not new. Although it is unlikely that this topic concerns web developers. This is more likely the duties of the sys admin, correctly configure the server.

IHMO: it seems to me impossible to be at the same time a cool admin who knows all the buns of various configurations and a cool web developer who knows various methods of attacks on web applications and knows how to write code without holes.
At one time I tried to master both, but programming outweighed the scales, it's easier to write a reliable application than to suffer with server settings (after all, this is the task of the host, for which we pay him).

Of course, no one canceled personal security measures — do not send passwords in plain text by IM or mail, do not store passwords in plain text, do not save passwords in FTP managers, browsers and other Total Commander-ah, do not let the virus on your work computer (use unix and install open source software), use TrueCrypt and Git for data backup (I have a crypto container with projects in Dropbox, and there are repositories).