News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

The Onion Market - Reverse Shell Access For Everyone! : hacking | Torhoo darknet markets

Just browsing Dread for the first time in months. See a new and exciting market announcement! https://torhoo.cc/go.php?u=TDNCdmMzUXZZV1l6WkRaaE9URTJOMlJpWVdVMU9UaGxNelk9#

Wow. The Onion Market. With a name like this, I see them taking over the entire darknet scene within a few years. Should probably check them out. Get in on the ground floor. Yaknow?

Uh oh. What's that??
- http://onioncto5mif54pkpssmoin3cvmwrdyfjg5lc4cqxgpx2wja5wnhkdad.onion
- http://onioncto5mif54pkpssmoin3cvmwrdyfjg5lc4cqxgpx2wja5wnhkdad.onion/storage/images/.user.php

I have pretty minimal pen-testing abilities, but still managed to upload a php reverse shell here earlier today. Turns out it's Eckmar. I have no idea if Eckmar scripts all are vulnerable like this, but I wouldn't be surprised. Never bothered to look into it.

To all my up and coming hackers out there. Go try to privilege escalate from www-data there in a high-speed, real-world, live and exciting box. Have fun! Upload your own reverse shells! Or if you'd like me to point mine at your IP before https://torhoo.cc/go.php?u=TDNVdlZHaGxUMjVwYjI1TllYSnJaWFE9# wakes up to a silly surprise, then write me.

And if you need a full-stack developer to build you an actually secure market or any Darknet service for that matter reach me on my Jabber :))
/u/Netwerk P
2 points
9 months ago
nginx/1.18.0 (Ubuntu)

Who could of imagined?
/u/IDontSmokeMeth
2 points
9 months ago
lololol
/u/herpesking
2 points
9 months ago
Good work! Putting markets to the test helps the community as a whole.
/u/goatchickwtn
1 points
9 months ago
ahahha golden
/u/BigDaddy2K
1 points
9 months ago
Probably did not see this coming lol
/u/stylish 📢
1 points
9 months ago
;(

That was short lived.

https://torhoo.cc/go.php?u=TDNVdlZHaGxUMjVwYjI1TllYSnJaWFE9#, thank you for having me! All the best, good night sweet prince <3
/u/NorthOfTheNeXus
1 points
9 months ago
who's ip addy was that in /.user.php yours or the markets???
"WARNING: Failed to daemonise. This is quite common and not fatal. Successfully opened reverse shell to 185.198.x.x:4129"
coz it wasnt my ip
/u/stylish 📢
1 points
9 months ago
It was the IP address of the server I was using to the receive the reverse shell. I have The Onion Market's public IP address. But leaving it here would be like hitting a man while he's down.
https://torhoo.cc/go.php?u=TDNVdlZHaGxUMjVwYjI1TllYSnJaWFE9#
2 points
9 months ago
We're actually big fans of the post, been watching the whole time :)
Also, don't worry it's not our public IP, or an IP we even own in any way, feel free to post it!
/u/stylish 📢
2 points
9 months ago
Listen mate. I know The Onion Market was a once in a lifetime name idea, but just the fact that someone was able to breach your system on day two will prevent anyone from ever using your platform. Kindly restart under a new name and I'll see you there ;)

With love,
Stylish
/u/NorthOfTheNeXus
1 points
9 months ago
yeah tru...
/u/intelligent
1 points
9 months ago
So embarrassing. I'm not sure why people don't actually pen-test their market before "announcing" it. This shit is not a game and unless you want to end up in a box for the rest of your life id suggest to start taking it serious "TheOnionMarket"

Good Work Stylish
/u/Citronella
1 points
9 months ago
Thanks for the idea. I may come back with profits to share. There is a new service, moneromonkey or something, where you can offer services like this; in the same e commerce business model of fivr.
https://torhoo.cc/go.php?u=TDNVdlZHaGxUMjVwYjI1TllYSnJaWFE9#
1 points
9 months ago
Awesome, now do something cool with it :)
/u/IDontSmokeMeth
1 points
9 months ago
best advertisement for your service lol
/u/[deleted]
1 points
9 months ago
so he basically got hacked for not restricting access to certain pages as-well as not text/image filtering to prevent incorrect file type uploading?
/u/stylish 📢
1 points
9 months ago
The Onion Market conducted zero sanitization of user uploaded images to their site before storing them.

Because their site was using PHP, all one would have to do is upload a malicious PHP reverse shell as their profile picture. This will then sit in their static images folder on a publicly facing URL which can be activated by navigating to the PHP script on any browser by any user.

What The Onion Market could do to fix this issue is:
- Check file extensions and image metadata wherever user file content is allowed
- Disable script execution on routes (like /storage) that are intended solely for static content like images
- Just not utilize profile pictures in the first place (they're a waste of space and an unnecessary security risk)
/u/Entr0py
1 points
8 months ago
"Ruh-Roh!" type shit. I cannot get enough of this post, funniest shit I've seen so far.
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo