How we hacked one of the worlds largest Cryptocurrency Website

Bug Bounty

One of the world’s largest cryptocurrency site was hacked by the Strynx team to find a flaw exposing multiple vulnerabilities that could to lead loss of millions of dollars. One of the team members shared his point of view on how we discovered such a critical issue involving data of millions of users.

Here’s on how we discovered it:

The testing began in two phases: Manual and Automated Recon.

The main purpose was for the discovery of an HTTP API, that could be accessed and exploited via a few commands. Manual recon is always preferred is because it allows people to be independent of different scripts and tools. Automated tools make things simple but consume a lot of time and throw out a lot of false positives. Whereas Manual Recon eliminates the possibilities of false positives and discovers issues much faster.

To begin, the website was behind Cloudflare. There are various methods on retrieving the actual server IP but Censys is generally preferred. Fast and accurate results make the recon process much faster. There are various tools used for automated recon and Censys is one of the best one to use. We’ll deep dive into some of these tools in the next blog. After obtaining the IP, port scanning was performed. Nmap was used to discover all open ports and services which could be potentially used to potentially take over the server or cause harm to the company. No special posts were found except for the port 443 used for website. The website was blockchain-based and It is always assumed that sites dealing with blockchain as usually secure and no harm can be done. But this is not the case here. A way is shown down how this server was exploited by using various methodologies including exploiting and chaining various issues.

On exploring the website, it was seen that each of the requests in the site was accompanied by a CSRF Token. For those who don’t know what a CSRF token is, it is a unique secret which has an unpredictable value that is generated server-side such that It cannot be guessed by users who make scripts which send a request on behalf of the target user. It is similar to a captcha which changes for every request. It was observed that there was an endpoint which was called to generate the CSRF Token. Thus, to automate the process of manually inserting new CSRF Token, A python script was developed. If you want to know how it was done, refer to this link: And it was time to deep dive.

Here is a short code snippet we used:

from cmd import cmd
import requests
from bs4 import BeautifulSoup

class Terminal(Cmd):
prompt = '>'

def __init__(self):
url = "url"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}

respose = requests.get(url, header=header, cookies=cookies)
soup = BeautifulSoup(respose.text, 'html.parser')
self.token = soup.find ('input', {'name': 'token'}) {'value'}

def default(self, args)
cmd = agrs
injection = "example" + cmd
print = (injection)
url = "example.coin"

header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
data = {

"username" : "b"
"password" : "a"
"db" : "injection"
"token" : self.token,
"login" : ""

respose =, header=header, cookies=cookies, data=data)
soup = BeautifulSoup(respose.text, 'html.parser')

if "PDOException" not in respose.text
self.token = soup.find('input'. {'name' : 'token'}) ['value']

trminal = Terminal()

The next thing was to look for hidden directories and paths of the webserver. Using tools like dirbuster and gobuster can be used. Along with this, a wordlist was used to enumerate. As rockyou4.txt and directory-list-2.3-*.txt are very well known, a wordlist was prepared with unknown terms. Usually, the wordlists are known to developers and Pen-testers, hence another one was made. The main focus would be to search for JS files with the help of jQuery. Different methods were also used to enumerate hidden files, but we’ll leave that for later on. After this, Burp was used to analyse all the requests. Various POST requests were observed to look out for any issues. Various Parameters were tampered to check the functionality of the site and how database connection is used. Turns out there was a lack of error protection in the site which leaked data when certain parameters were being tampered.

Protip#- Always tamper data to look out for any loopholes. Suppose the value of a parameter is 0, make it 1 to see what happens. Always contradict values of parameters to look out for any loopholes.

On analysing the server (looking into JS files and the error messages) multiple occurrences of hidden parameters were found along with some sensitive information of the internal functions used by the website. These functions helped the site to give more user experience but turned out to be the worst nightmare. Various types of injections did work but we will focus on one of these in much depth. On observing the communications, it was noted that the application did accept some SQL special elements. Thus, it was time to search for SQL Injections. On testing one of the hidden parameters, it was observed that there was an error based SQLi. The working of the parameter wasn’t understood at it wasn’t making any observable changes on the page. Although, the parameter still made calls to the database. Hence it was maybe some functionality which was used for testing but the code wasn’t removed after sending the site to production.  

PDO Exception #1
PDO Exception #2

Here are some of the PDO Exceptions we found. If you don’t know what PDO Exceptions are stay tuned for upcoming blogs. We would write about this in the blogs such that if you find exceptions of this kind, you will learn how to exploit it.

An example of a hidden parameter would be as:

Suppose in JS Files, something like document.getElementById(‘id’) is mentioned. If the JS file is called to some Html page, the parameter can be called from the URL as: Thus, in some other ways including this, hidden parameters can be found.

The parameter was also tampered to search for code injections such as ‘;id’ or ‘;pwd’ to see if these values delivered any output or throw some error which can be useful for us in understanding the application. But this didn’t work so the next step was to exploit the SQLi found before.

There are various methods to find or exploit SQLi, for that, you can refer to any cheat sheets available online, as too much content is to be delivered. If another blog is needed for this please write in the comments so that we can blog about it later on. Various data from the database was extracted and the juiciest credentials were the database login credentials. If you know, the credentials are usually hashed by default, hence the next job was trying to decrypt these hashes. The hashes were decrypted easily as it was using one common password from public wordlists. It was like Ummm… Such critical site such less protection.

Ok, we got SQL access. What next?

It’s time for RCE.

If you know, after getting SQL remote access to the database, it is possible to upload a PHP shell if the database had executable permissions. To a surprise it did. It was possible to upload a shell to var/www/html directory which created a PHP shell in the root directory of the website. But this wasn’t as easy.

Hurdles don’t ever stop

Turns out there was a filter on the parameter searching out for tags. (XSS Prevention :P). This was bypassed by using double encoding which allowed malicious PHP files to be uploaded on the system. For those who don’t know about how to get a shell from SQLi, please try out Sqlmap to learn about this more. SQLmap does have a function which allows us to get a PHP shell on the webserver. It checks if it has permissions to upload to the web directories and creates a PHP file, which when opened, has options to upload our malicious web shells to the server. From the web shell, we were able to get a reverse shell to the system and hence RCE!

After this, the report was submitted using screenshots and proper POC via secure channels. Within one hour a reply was obtained back acknowledging the report and asking to provide personal details to receive a bounty. To my surprise, a 5-digit bounty was rewarded by the company for this effort. Appreciate the response and the fix time for the company as it was fixed in just 2 hours. Everything from the error codes to the database names was fixed in no time. Kudos to the company!

Please leave down any comments or any suggestions for this blog and any further blogs which you would like to read. We provide services to companies who would like their products to be tested. If you’re a company who wants us to perform complete testing of your site, please use the Contact Us page to drop a message or info(at) We would try to reply at the earliest.

37 thoughts on “How we hacked one of the worlds largest Cryptocurrency Website”

  1. Nick December 24, 2019 8:40 pm

    the write-up is much much better than other I attended. Admin shows only those vulnerabilities that are truly exploitative and no any rubbishy 🙂 its superb! Heads up🙌🙌🙌🙌

  2. December 25, 2019 3:37 pm

    Pretty great post. I simply stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around
    your blog posts. After all I will be subscribing ffor yokur rss feed annd I’m hoping yyou write
    once more soon!

  3. kiet giang melbourne December 25, 2019 6:30 pm

    hi!,I really like your writing so so much! proportion we
    communicate extra about your article on AOL? I require an expert in this space to unravel my problem.
    May be that’s you! Looking forward to look you.

  4. December 25, 2019 11:00 pm

    Wow, this article is nice, my younger sister is analyzing such things, thnus I am
    going to let know her.

  5. agencia digital December 26, 2019 4:53 am

    Porém não só de net vive Marketing Digital.

  6. Cách tự vệ sinh máy lạnh Panasonic December 28, 2019 1:47 am

    Mặt nạ là phần đầu tiên khi bạn vệ sinh máy.

  7. kiet giang December 28, 2019 6:17 am

    Hi there, its fastidious piece of writing regarding media print, we all understand media is a wonderful source of information.

  8. Yunus Ahmed January 2, 2020 12:25 pm

    it would be great if you elaborate/explain the steps you took to Xploit SQLi and RCE. After all exploiting steps are main part in hacking.

  9. Frank January 9, 2020 10:13 pm

    If some one wants to bbe upfated with hottest technologies after that he musst be
    paay a visit this web page and be up to date efery day.

  10. buy credit card January 10, 2020 2:16 am

    Ԍreat goods fгom you, man. I hаvе understand yoᥙr stuff
    previous tօ and yⲟu are just toⲟ grеat. I really like wwhat y᧐u’ve acquired һere, cеrtainly ⅼike
    wһat yoս ɑre stating annd tһe way iin ѡhich
    ʏou saу іt. Y᧐u mаke іt enjoyable and you ѕtill care for to keep iit ѕensible.
    I can’t waijt to reаd far mⲟгe from y᧐u. Тhis is
    actuaⅼly a gгeat website.

  11. 31337$ January 15, 2020 7:34 pm

    Bounty is 31337$ thats great keep it going dude

  12. Edwardo January 16, 2020 9:48 pm

    What’s uup to all, it’s genuinely a pleasant for me too go to see this website,
    it includes priceless Information.

  13. pizza in provo utah January 27, 2020 10:44 pm

    Hey there! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing a
    few months of hard work due to no backup. Do you have any solutions to stop hackers?

  14. Jerri February 1, 2020 3:41 pm

    Someone necessarily lend a hand to make critically articles I might state.
    That is the first time I frequented your web page and up to now?
    I amazed with the analysis you made to create this actual put up amazing.
    Wonderful process!

  15. February 5, 2020 9:19 am

    It’s actually a great and useful piece of information. I’m glad that you simply shared this useful information with us.

    Please stay us up to date like this. Thanks for sharing.

  16. February 5, 2020 9:45 am

    You really make it seem so easy with your presentation but I
    to find this topic to be really one thing which I believe I might
    by no means understand. It sort of feels too complex and very large for me.
    I am taking a look ahead on your subsequent put up, I will try to get the dangle of

  17. Addie February 6, 2020 6:17 pm

    There is certainly a great deal to know about this subject.
    I like all the points you’ve made.

  18. Personal Trainer February 6, 2020 6:18 pm

    Hello mates, its fantastic paragraph about tutoringand completely defined, keep it up all the time.

  19. no cvv shops February 7, 2020 3:32 pm

    I feel that is one off tһе so much siɡnificant informatipn for
    me. Аnd i am satisfied studuing yoyr article. Butt wanna statement ߋn feew basic things, The website taste is ideal,tһe articles is in point
    of fɑct greаt : D. Good task, cheers

  20. cat grooming February 15, 2020 2:03 am

    Please let me know if you’re looking for a author for your blog.
    You have some really good articles and I believe I would be a good asset.
    If you ever want to take some of the load off, I’d really like to write some content for
    your blog in exchange for a link back to mine. Please blast me
    an e-mail if interested. Thanks!

  21. ارشفة المواقع February 27, 2020 4:50 pm

    I’d like to find out more? I’d love to find out more details.

  22. pkv deposit pulsa March 7, 2020 1:59 am

    If you arе going foor best contents like me, simply pay a visit this weЬsite daily as it presents quality
    cⲟntents, thanks

  23. running time gel March 12, 2020 12:13 pm

    I’m not sure where you are getting your information, however great topic.
    I needs to spend a while finding out much more or understanding more.
    Thank you for magnificent info I used to be looking for this information for my mission.

  24. gu energy gel s'mores March 12, 2020 7:34 pm

    We absolutely love your blog and find most of your post’s to be just what I’m looking
    for. Does one offer guest writers to write content in your case?
    I wouldn’t mind publishing a post or elaborating on a few of
    the subjects you write regarding here. Again, awesome site!

  25. cbd for professional athletes March 13, 2020 8:33 am

    Amazing! This blog looks just like my old one!

    It’s on a completely different subject but it has pretty much the same
    layout and design. Great choice of colors!

  26. energy gel before run March 13, 2020 9:34 am

    Great post. I was checking constantly this blog and I’m impressed!
    Very helpful information specifically the last part 🙂 I care for such info much.
    I was looking for this certain info for a very long time.
    Thank you and best of luck.

  27. best cbd for athletes uk March 13, 2020 3:17 pm

    Very nice article, totally what I wanted to find.

  28. deposit via pulsa March 17, 2020 10:07 pm

    Good respоnse in return of this issue with firm arguments
    and explaining еverything aboսt that.

  29. March 18, 2020 5:24 am

    Fantfastic goods from you, man. I have remember your stuff prior to
    and yoou are simply extremely magnificent. I really like what you’ve bought right here,
    really like what you are saying and the way in which inn which you
    say it. You make it enjoyable and you continue to taake care
    off tto keep it smart. I can not wait to learfn far more from you.
    That is really a tremendous website.

  30. Ugocix March 28, 2020 3:59 am

    [url=]where can you buy zithromax[/url] [url=]zithromax order online[/url] [url=]buy clonidine[/url] [url=]chloroquine phosphate buy online[/url] [url=]plaquenil for rheumatoid arthritis[/url]

  31. Jasoncix March 28, 2020 8:56 am

    [url=]buy azithromycin 500mg online uk[/url] [url=]plaquenil 200mg tablets 100[/url] [url=]buy plaquenil[/url] [url=]amitriptyline cost canada[/url] [url=]hydroxychloroquine plaquenil[/url] [url=]azithromycin 2 g[/url] [url=]hydroxychloroquine drug[/url] [url=]buy cleocin gel online[/url] [url=]plaquenil buy[/url] [url=]buy medrol online[/url]

  32. Eyecix March 28, 2020 3:07 pm

    [url=]sildalis 120 mg[/url] [url=]plaquenil 200 mg tablet[/url] [url=]zithromax price[/url] [url=]plaquenil 400 mg[/url] [url=]plaquenil where to buy[/url] [url=]buy tamoxifen citrate[/url] [url=]buy cleocin[/url] [url=]hydroxychloroquine sulfate tablets 200 mg[/url] [url=]plaquenil singapore[/url] [url=]chloroquine otc[/url] [url=]azithromycin 500 uk[/url] [url=]where can i buy azithromycin online[/url] [url=]chloroquine online[/url] [url=]where to purchase zithromax[/url] [url=]buy quineprox[/url] [url=]citalopram hbr[/url] [url=]buy aralen[/url] [url=]where to buy ventolin[/url] [url=]hydroxychloroquine aralen[/url] [url=]generic zithromax 250mg[/url]

  33. Alcohol Rehab Centers March 28, 2020 7:31 pm

    I’m Kristine and I live with my husband and our three children in Bakersfield,
    in the CA south part. My hobbies are Gardening, Hunting
    and Ice hockey.

  34. Boocix March 28, 2020 8:45 pm

    [url=]cheap albenza[/url] [url=]buy hydroxychloroquine[/url] [url=]can i buy ventolin online[/url] [url=]citalopram 20mg for sale[/url] [url=]viagra online paypal canada[/url] [url=]hydroxychloroquine plaquenil[/url] [url=]buy effexor[/url] [url=]plaquenil tablets 200mg[/url]

  35. Wimcix March 28, 2020 10:34 pm

    [url=]amitriptyline drug[/url]

  36. kobe shoes March 29, 2020 6:26 am

    I am just commenting to let you understand what a fantastic experience my girl gained checking your web site. She noticed lots of details, with the inclusion of what it is like to possess an amazing giving heart to get men and women clearly know just exactly several grueling subject areas. You actually did more than people’s expected results. Thank you for supplying these effective, trusted, revealing and as well as fun guidance on this topic to Ethel.

  37. Kiacix March 29, 2020 7:13 am

    [url=]aralen tablets price[/url]

Post a Comment

Your email address will not be published. Required fields are marked *