How I hacked into my college database

- 7h3h4ckv157

From the beginning

Hey geeks✋🏻! I’m Kiran PP a.k.a 7h3h4ckv157. I’m a cybersecurity enthusiast, an Ethical Hacker & a very passionate person in infosec.

Last year during the pandemic I made an insanable mistake in my life. Because of the same, I’m depressed, spend some months by hanging such situation, later I realized I’ve to move on, and for a certain relief I planned to hack into my college server.

After a few days of enumeration, I started exploring what I found on that server. As a result, I identified a certain directory on the website. let’s name it as example.php ( I can’t mention the actual name).
At first, I’m totally confused, by the way, I just played fuzzing game.! 😉

ffuf -w /path/to/paramnames.txt -u https://target/script.php?FUZZ=test_value -fs 4242

then the fun begins.

I’m shocked then I dig for more, I do random number brute-forcing & identified parameter id returns data under the value “500”. I checked out every info that I met there(1–500; ie, ?id=1 to ?id=500), I can see a lot of information about the staffs especially lecturers including their photos,phone numbers, emails, a lot more 😄.

I thought it might be vulnerable to information disclosure, but sadly I found it’s publicly available on the website in certain endpoints. I just don’t give up there, I put a quotation ‘ after the input I did previously ( eg: ?id=10’ ) then the site goes blank !!!

user input is used directly in a database query and think of some input data that would break the structure of the query string.

I realized that I’m on right track.

I fixed the query by typing ”i d=10' — +-”

That was the real thing I’d to try in the first place. Whatever, now the page get back to normal.

So I confirmed that it’s vulnerable to SQLi :)

SQLi in short

for more details visit:

https://owasp.org/www-community/attacks/SQL_Injection

After that I tried *Automation*

but it fails

automation always fail (in my case)

Now it’s time for manual hunt :)

for fixing the query i used “10'+order+by+1 — +-” then,
10'+order+by+2 — +-
10'+order+by+3 — +-
..
..
..
So on ..
& Finally : 10' order by 22 — +-

BOOM !!!!

Again the page blanked!

That’s how I confirmed there are 21 tables.

After that i injected “ ?id=-1'+union+select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 — +- “

from the result I met the vulnerable tables

8,13,10,11,12,17,14,21,16

I tried multiple commands :

database(), version() , @@hostname, user() & also performed reflected XSS for making sure the table is vulnerable.

But the result of “ user() “ made me disappointed a bit, I’m not super privileged (root). At that moment my dreams of RCE fade away.

RCE (Remote code execution) :

Still my thirst didn’t end.
I planned to Dump in one shot (DIOS) & strike again. :)

This time the query gave me all the databases in one shot. there’s more than 30+ tables & several number of coloumn.

Now I’m able to dump all data present in database & get whatever output I want from DIOS. The complicated queries will be discussed later , However the database is completely in my hands.

I didn’t performed any malicious activity nor compromised the server, want to know any vulnerability exist/not & to practice , sharpening my skills.

If you use injection to steal the money it’s illegal. If you report your findings that’s great! you found a bug before bad guys found. And, in some case if you damage someone else’s data it will also considered as crime.

Feel free to connect on Twitter @7h3h4ckv157

For educational purpose

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store