How I hacked into a college’s database!

Aditya Anand
May 20, 2019 · 4 min read

This article is being re-published, originally published on 13th April 2018.

Being a teenager I have heard computer nerds proudly claiming that how they hacked into their college’s database. How they got access to the data of all their friend’s and their college crushes. I was always amazed and used to ask them for guidance as to how they did it, most of the time they didn’t respond to a teenager like me. I never gave up and continued reading and learning various techniques, programming languages, softwares and tools and here I am writing this blog about how i got access to a college’s database.

The Big Idea

So, how I got the idea in the first place? Most of the college have this policy that in the very beginning of the college they assign students username and password to login to an online portal that has their data, like their name, registration numbers, parent’s name, their phone numbers, social security number (Aadhaar number), etc.

The problem is the username that is assigned to them is their college registration number and the password is their date of birth and most of the time these students don’t change their login credentials at all, once they get them from their college at the time of their registration.

Image for post
Image for post
Login Portal

Breaking down the Hack

As bored as I was I thought let’s try a dictionary attack. So for this i had to first check if thecollege website was actually weak enough to allow me to carry out a dictionary attack on it’s login page. So, I opened up my Burp Suite and turned on the intercept. I visited the college’s login page and just to check it out I created random payloads which gave a total of 1,000 permutations with the login credentials at the last of it, so as to check if it runs fine. I started the attack and in a minute voila! Burp Suite highlighted my credentials, as the status displayed 302.

With this I came to know that the dictionary attack was not being blocked by the IDS or IPS of the college (doubt they even have one), I thought let’s make the list of all registration numbers and all the birth dates possible for those registration numbers. So how do you figure that out? Now let’s say your college gives you a registration number, try to break it down.

REG1511080123

So now once I knew how to create the dictionary file, I wrote C++ codes and printed the dictionary files for IT branch. Remember their can be particular things special to your college, like they need to append their college name before your d.o.b. in your password so write the codes accordingly or write a generalised code and paste it in a text editor and use “find and replace” to make changes according to your needs.

Image for post
Image for post
BurpSuite Terminal

So, right now I had my dictionary file ready to go with a total of 600,000 permutations. With the help of my Burp Suite professional it took me 5 hours to get the data of all the college students, their marks and grades of each semester and above all their SSN.

Image for post
Image for post
Extracted data

Moral

I reported it to the officials straight away. This whole hack was possible due to laziness on both the student’s part and the college. The student’s didn’t change their default passwords, the college didn’t put in a proper firewall which should have blocked me right after 100 or so attempts.

I was very lucky, but I did hack into a college’s database!

If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!

Website : aditya12anand.com | Donate : paypal.me/aditya12anand

Telegram : https://t.me/aditya12anand

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com

P.S. In my follow-up article I will explain how I hacked into the database via a different website that they had up and running and bypassed the CAPTCHA filter. Releasing it one week from now.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Aditya Anand

Written by

CyberSec Professional | Hacker | Developer | Open Source Lover | Website - aditya12anand.com | Donate - paypal.me/aditya12anand

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store