Computer Hacking: What are some good computer hacks made by students in college?...... It was my 4th semester result. I was hitting the refresh button on my college result web page. In few minutes the result came out. I scored quite well unlike other semesters. I was feeling quite energetic and hacky that day. I started to play around with that web page and looking at the website, with such an ugly design, I suspected that there must surely be a loophole in their infrastructure and may be I can hack into it. There was no organized structure to the website. I could see randomly thrown links on the website with no naming convention, poor CSS rules all around, poor compatibility with browsers. I fired my firebug plugin on firefox and started looking here and there for any loophole. The website looked vulnerable to the SQLi the most, so I started with it. I started entering few wrongly formatted roll numbers in the field that asked you for your Roll Number. Some inverted commas here and there and everything started to break apart. After investing few more minutes, I was quite sure I could deface the whole infrastructure behind. Some wrongly formatted roll numbers would take me to a error page and it was weird that error itself was exposing internal information about the underlying SQL tables. It could tell me the names of the tables. I googled this behaviour and found out that this is a major MSSQL 2000 bug. The college was using an older version of the Microsoft SQL server which itself had a SQLi vulnerability. There were fixes released by the microsoft for this vulnerability but as I mentioned the maintainer of the result server must be careless. He was still running the website on an old, outdated version of the SQL server. After tweaking more with the wrongly formatted roll numbers, I started to get the names of the underlying SQL tables. They were like teachers, 4thsem, 2nd sem. And there it goes, I tweaked few bits here and there, I started getting names of the teachers, the passwords of the teachers, the name of the students, their internal marks and I was on fire defacing the whole website. By this time the wrongly formatted roll number string had reached upto 200 or 300 characters and counting. The only problem was, that it was too cumbersome because the vulnerability was allowing me to only deface one bit of data at a time. I had to change the roll number string everytime to get the next piece of data. I could have written a script for that which I did and ran on the server. It helped me dumped usernames and passwords of all the teachers at once. I was like Holy F**k ! Am I doing something wrong ? Would they charge me for it ? 2 years in Prison or more ? I stopped this and went to my bed. I woke up after few hours. By that time I had already stopped giving shit about the consequences and the story continues. The script could have dumped all other data but I thought of doing it in a more elegant way. I found out that, apart from the vulnerability exposing the SELECT statement output data in its error message, I could also use the vulnerability for INSERT, DELETE and other administrative operations. I thought of creating a test user on their SQL server. It took few hours and finally I nailed it. At this point, I had created a test user with administrative privileges on whole server and its data. Things started becoming easy from this point. I connected my SQL client to their SQL server. I had the credentials, I would put in test as username, as password and it would let me see the whole database, all tables, all teachers usernames, its passwords, students marks, all students information, their home address, their fathers name, the degrees to be awarded to students in the next coming convocation (You dont want some teacher of yours to get their PhD degree in the next convocation ? Ok. Remove his name and add yours). I could click on any field and change CGPA, SGPA and what not and it would directly show up in the result web page. Since, our college server was the first one to have the result data (teachers directly submit the grades on the serer), changing it would mean changing the data on the printed mark sheets that the Academics block would issue to me. Hence, I was feeling quite powerful but I didnt alter any bit of it. Something from inside me stopped doing that, maybe ethics. Moreover, since I had already scored good in that semester, so the idea of increasing my grade didnt attract me much. I was really scared of what I have done by now. I didnt want to tell to everybody just because I didnt want to get incriminated for it. I told this to my friend and requested him to not tell anyone a single bit about it. He agreed but asked me to proove it. I changed his CGPA to 9 from 8 momentarily, showed him and then reverted it. I decided to not to alter any of the results and data on the server. Since it was vacations I decided to close this hack project I had started and archived the whole database safely on my PC for about a month or so. After that, college started and I decided to report the bug just because I felt I should be doing that. I went to the Head, told him that this is the case and I could change the results without you even knowing it. The head redirected me to the maintainer of the website. I told him the whole story and he fixed the bug. I kept it a secret for quite a long time (about one year) because I was afraid. Now since, I have stopped giving shit about being incriminated or whatever, I am making this public for the first time. PS: Result for my 6th semester went public last week and I failed. I wish I had not reported the bug, could change the result and get passed. ;)
Posted on: Fri, 08 Aug 2014 05:55:21 +0000
Trending Topics
Recently Viewed Topics
© 2015