No response from support for 2 days, last response completely ignored the fact that I had managed to retrieve sensitive server information, they aren't taking security seriously at all.
I currently have a shell placed on their server executing phpinfo returning information on their back-end Apache server. They are running an Nginx front-end as a reverse proxy.
This took a while as I've been attacking their market for a few weeks, but their new request limitations to mitigate DDOS attacks has slowed me down, I asked them to disable this for my session as I had managed to run a php shell, however their image stripping was clearing out my malicious code.
After comparing my original image hex bytes to the uploaded image bytes, there were some of the original bytes in there, so I was able to replace them and test which functions were enabled. Of course, security 101 issue straight away, phpinfo is enabled and happy to serve me with the goodies mostly server OS information and security patches that had been installed. I am not able to get much further than that due to their directory permissions preventing directory traversal and most other functions I am unable to exploit. This is a severe security concern though and I hope they can at least come forward and be transparent. Still working on getting their IP to leak right now so will update the thread, also if I hear anything from them.
I have sent proof to the subreddit Mods and will be making further posts. Also not sure if they fixed it yet, because I reported it last week, but you could view anyone's support ticket if you had the ticket ID.
Try not to keep your funds on the market right now if you still choose to use it, they could easily walk away with the money following this.
Edit I'd like to take this as an opportunity to mention I rooted "Transit Market" which is linked on DDW. It was hosted on the guys home PC within his user directory, which gave me his first name. Seems like he may have taken the market down as I can't access it right now, I had also sent proof of this with my deface page to the reddit Mods last week.
edit 2 Managed to upload deface page :) http://traderouteilbgzt.onion/hugbunter.html
edit 3 SHELL AND DEFACE PAGE WAS JUST REMOVED NOW. Hopefully I get a response from support now
edit 4 Response from support completely denying everything and telling me I am spreading FUD after clearly fixing the issue and removing the shells.
Admin 22 August 2017 12:46 Why are you spreading FUD about us? It's not possible to show a random html, even if you could put it in the public folder, as the server is configured to show only a few controlled files. Besides you have no clue about the server software we use, as you shown on reddit. What does the DDOS limitation have to do with images upload? Complete non sense, please show a single proof about your claims.
HugBunter 22 August 2017 13:43 I am not spreading any FUD and you misunderstood regarding the DDOS limitations and image upload, it was preventing me from attempting different methods quickly in an automated fashion. I can assure you it parsed the html file just fine in the public folder and you would know as the file has been removed, along with the image shells. Why are you denying it rather than working with me, that's why I contacted you and had no response. Also, a lot of public details wouldn't be correct, just the way I wouldn't post your IP address publicly even if I had managed to get it to leak. I was trying to help but insecurities such as this and then denying it after fixing it is absurd.
Are you genuinely trying to play this down or do you have multiple developers and another could have accessed and buried this? I don't understand why you are point blank denying what was publicly proven..
jesus christ