I have years of experience in the many aspects of the security field, although I don't have any physical qualifications in anything security specific. If you would like to know more about me, send me a PM.

Here is the 100% legal method guys!

-> Use your own address
-> Use your own credit card
-> Use your own phone number

Legit method, works 100% of the time.

I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.

In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.

I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.

If you read over my list, you'd see a few.

1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi)
3. No CSRF protection anywhere
4. Vulnerable to clickjacking.
5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page.
6. "Name" on settings page vulnerable to XSS.
7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on.
8. Payment mode on the orders page is vuln to persistent XSS.
9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid]
10. Persistent XSS in orders page by editing currency or country POST fields.
11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED.
12.  About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site.
13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them
14. XSS on the reply field of the ticket system.
15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them.

I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP.

Regards,
PotatoPie.

I've had heaps off experience with blockchain API. Chuck me a PM.

1. Get off shitty namecheap shared hosting
2. Get a VPS
3. Setup https://github.com/rhiever/twitter-follow-bot on a cron script.
4. Done.

I've done exactly this and I've boosted my site heavily. It cost me $2 to do as well for the basic VPS, simple but elegant.

Personally I don't have references for work with C#, mainly PHP and other web languages such as Ruby on Rails. If you would like, I can still go over your code for free as I have a bit of spare time although C# is probably one of my less proficient languages.

I have a bit of experience with this. What is the site coded in?

Do you even SQL bro ? I'll explain what this SQL statement is doing and why you're not correct in saying that this should be done PHP side. This SQL statement is getting
1. The count of all rows in balances (so the amount of users).
2. The maximum balance of any user (so the person with the most $$). To do this one PHP sided, you'd have to retrieve the whole balance row from the table with all of the data and then do it PHP sided. This would use more CPU than the SQL statement would.
3. The sum of the balances is just all of the balances in the table added together. This is the same as above and doing it using MySQL is far less resource intensive then getting the whole table and doing it with PHP.

Your statement about "12 calls to the SQL Server in the index.php" isn't necessarily an issue. You'll find that a lot of PHP files have quite a few more queries.

@OP: Try get information such as what pages are causing this issue with overusage of CPU from your host. I can try later on a VPS and see what the major issue is for you if you want. Are there any cron scripts running by any chance (haven't really looked at the code).

Are you serious? Do you even know what a 301 status code means?

Stop using shitty tools such as Acunetix without any knowledge about what these 'vulnerabilities' actually do. You're not part of the DOD, and please do not try threaten website owners. You're probably 12 and have no idea what you're doing.

PM me with what you need done or details to get into contact with you.

A lot of the time, it's not the code that is vulnerable. I'll be honest in saying that when I used to do 'illegitimate testing' against websites, the code was normally not the issue. You'll find now that people are using frameworks more and more that get rid of the issues such as the owasp top 10 and so on. It also comes down to the issue that if they're using a lot of classes and a large system (PHP), it would take a long time to go through multiple PHP files just for one single function (hence the per hour thing being a bit ridiculous here).

I've had plenty of business experience as I've run a business for many years. Customers generally don't flock towards you if you're volatile to other people that try to put you down. You're in a market where there is plenty of pentesters and almost no demand at all for them. You're not going to get someone giving you $40 an hour with no examples of what you can do and absolutely no idea what you're going to achieve in an hour.

Join programs such as:
-> Hackerone.com
-> Bugcrowd.com

Gain a bit of a profile and get on some bug bounty lists and then come back and try sell your services as you can prove that you at least know something .

Just by quickly looking at it (I'll look at it later tonight when I get home) but, Update OpenSSL. It seems that you're using an older version which is vulnerable to heartbleed. Please refer to https://filippo.io/Heartbleed/#cointoli.com for more information. You should be able to just run a basic apt-get update in ssh to fix this issue.

This is straight out of an automated testing tool, not government grade pen-testing. If you can fully explain what this is and how to exploit it then people may slightly believe that you're capable of such things.

From what I read, you're just making stuff up on the spot with no actual experience of evidence to back it up. $40/hour is an absolute joke unless you can actually prove you know what you're doing. I know a lot of pentesters that are good and will work for less than that. Secondly, you're an idiot because you start flaming everyone on your sales thread. This is business 101, you're not going to get any clients and you might as well start a new thread and get a new mind set.

Awesome, received my bounty. I'll probably follow your company and see how it develops in the future .

Probably in Util.php, but I doubt that would be an area of concern as it seems to have just 'stopped working'.


I was able to use http and it seems that there is no redirects without https. Blockchain is behind cloudflare which could be causing blocking issues (I've had it various times before).