How I Hacked University and My College Site

4 min read Original article ↗

In this article, I’ll be sharing my experience of hacking university and my college site!

Shubham Sangle (mr.silent)

Hey Guys, I hope you all enjoying quarantine.

“ As hacking is buzz word for any IT student and many people really love to be part of this trend. I am also one of them. So I Hacked something…. ”

If any of you thinking which university I am talking about let me clear it. It’s our own SPPU.

When I was submitting my university exam form I experienced that this site is not really good at security. If any of you noticed, session management is really poor. As every IT student do, they want to take a look at its source code so I also did that. What I come to know is there’s a site attached to main “SPPU” site which is still using PHP with GET parameters.

https://****.unipune.ac.in/courses-detail.php?id=1

Just take a look at that id=1 how happy he is 😊, but all problem start with that single parameter.

We can exploit database of websites using SQLInjection which is well know vulnerability in WebApp Penetration Testing.

Press enter or click to view image in full size

Basic Example

Press enter or click to view image in full size

Let's consider this id = 1 parameter is passed to SQL server without any sanitation. Where is no sanitation there is Corona (HACK) 😅

The query will look like this on the server-side:

select * from course_detail where id=1

what if I change id = 1 To id = 1 or 1=1

https://****.unipune.ac.in/courses-detail.php?id = 1 or 1=1

It looks confusing right…?? But its more inserting on the database side.

The query will look like this on the server-side:

select * from course_detail where id = 1 or 1=1

Now your database tries to execute this query. If you are clever enough, you can guess that 1 = 1 is universally True. So our query becomes true and returns all records in our database.

Interesting Example

Press enter or click to view image in full size

What if I do this,

https://****.unipune.ac.in/courses-detail.php?id = -1 OR UNION SELECT table_schema, table_name, 1 FROM information_schema.table

union: is used to concatenate multiple queries together.

table_schema, table_name: Retrieve table schema from information_schema.

information_schema: Table where the schema is stored.

What basically above query will do is, it will retrieve all table names from the database schema. Now we can use that table name to form our attack query “select * from <table_name>” to retrieve table data.

To retrieve records from USER table we can form query as

https://****.unipune.ac.in/courses-detail.php?id = 1 OR UNION SELECT * FROM USERS

Here we get some juicy info. We just retrieved all users data form university SQL Server.

Tooling UP

We can do this type of attacks using Android and Linux. I am using DroidSQLi On Android.

Android Tool: DroidSQLi

Linux Tool: SQLMap

Copy the link from browser and paste it in “DroidSQLi” and just click on Inject and it starts attacking SQL Database. This type of attacks really make noise in database logs and your IP address is also stored in that logs. So just to be on safer side use proxies when you are attacking something that doesn’t belong to you.

Pro Tip : Guy’s Why PHP ….? There are lots of Frameworks you can use, like Django(Personal Favorite), Laravel and etc. Which provide really good security mechanisms than PHP.

What happened next, I mailed them vulnerability but they even not interested to take a look at it. So just to make them realize what I can do I send them their admin username and password by mail.

In the next 10 min, I got reply… “Can we meet ?”

And on the next movement, I was the happiest person on earth cause, they called me to fix their servers and this is how my journey started.