Let me start by introducing myself. I am a developer at heart, not a pentester. I know how to setup servers, I know how to properly develop sites that are resilient to the most prevelant attack vectors, but I am not someone who is ontop of the game when it comes to the latest and greatest. After seeing the recent unveilings of VERY poorly written markets, I thought I'd give it a go myself.
Sourcery has a bunch of oddities. The most widely accepted way of delivering images on a DNM is by serving the Base64 encoded bytes and not referencing a file directly from the server. Sourcery has a script that can take an image path on their server, and then deliver the content of that image. However, this seems to be badly misconfigured, and feeding it results that it did not expect causes it to bleed the port that the hidden service is running on:
http://sourcel3zg2kzu4k.onion/images (errors & redirects) *:8080
This is a very standard port suggested in almost any "hidden node setup guide". Suggesting that the admins are novices. Along with this, we know the server is running nginx.
Along with this, you can feed it files, and it returns very strange results. I will experiment more with this, but in theory you could probably get it to return the bytes of say a PHP file.
There are more serious things about other markets, hint hint, Zion, hint hint.
In the meanwhile, stay safe.
2 shadowbanned comments. 1 of them addressing how they wish they could see the other shadowbanned comment. Jeez.