https://www. P*rnH*b .com/album_upload/create

https://www.P*rnH*b.com/uploading/photo

Cyber attacks get bigger, smarter, more damaging.launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.Now, it turns out that the world's most popularsite has paid its first bounty payout. But how much?Yes,has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers's website.The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities () in PHP's garbage collection algorithm when it interacts with other PHP objects.One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:This zero-day flaw let the researchers reveal the address of the server's POST data, allowing them to craft a malicious payload and thereby executing rogue code on P*rnHub's server.The hack was complicated and required a massive amount of work that granted a "," allowing the team to execute commands and make PHP run malicious syscalls.The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.The hack could have allowed the team to drop alldata including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.The sophisticated hack on's servers that allowed the team to gain full access to the entiredatabase has been explained in two highly detailed blog posts. You can head on to them for technicalities of this attack.