How I hacked into a college’s website again!

This is a follow up article to the previous piece that I wrote - How I hacked into a college’s website to obtain the student’s database.

Refer to my last hack - How I hacked into a college’s website!
Twitter feed

As many other college’s this college too had different websites where students could login for different set of information. Some of the webpages were focused to display the attendance and time table of the students where as the other was focused on the grades and personal details. The college website which I hacked into didn’t have any critical data in them so, I tried to get into the webpage that had important data like the Aadhaar card details, the grades of those students and their transaction details as to when they paid their college and hostel fees.

What was different than the last time?

The last time I tried to hack into the college website it was a normal dictionary attack, the login credentials of the student’s were their registration numbers and their date of birth which I easily broke down and wrote two simple codes to create my dictionary for the attack, but that wouldn’t have worked here cause as this website contained more important information, it also had a captcha filter that would have stopped me from carrying out a dictionary attack of any sort. It looked something like the one below.

Login Portal

How I approached this hack?

First of all I tried to find some SQL vulnerability, that would have given me access to the data in the most easiest way possible, but I wasn’t successful as i couldn’t find such a flaw. I fired up my Burp Suite to intercept the traffic between the browser and the server so that maybe I can find a way to manipulate the request to get access to their database. For this I tried with my own login and password and intercepted the traffic and send it to the repeater tab to analyse it and voila!

BurpSuite Capture

The breakthrough!

As I started to analyse the packet that was sent over I realised that the captcha was only being checked the first time I login, what it means is that if I enter the correct captcha manually for one time in the beginning and then just modify the payloads in BurpSuite i.e. the username and password I can carry out the normal dictionary attack that I carried out in the first hack. The payloads were already ready from my last hack.

Carrying out the hack

So, in the beginning I manually entered my valid login credentials to bypass the captcha check and after that it was a cakewalk as there was no stopping the 5 hour long dictionary attack that gave me access to the credentials of nearly every student in the IT branch of that college. This had a whole different level of high as bypassing this security I got access to some really personal data regarding the students and not just that their was data even about their respective guardians.

Moral

I reported it to the officials straight away. This whole hack was possible due to laziness on both the student’s part and the college. The student’s didn’t change their default passwords, the college didn’t put in a proper firewall which should have blocked me right after a few attempts.

I was very lucky, but I did hack into a college’s database!

If you enjoyed it please do clap and happy hacking!

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com