How i hacked my college website 2023
Firstly Happy New Year, wonderful people!
I want to share with you how I hacked my college’s website on the first day of 2023.
I recently started college and took admission examinations before that, so I was continuously visiting the website to see if the results were up or not. I was on the second rank when they posted the entrance results after some day. Yay! hahaha. I am aware that you are not here for that, so let’s move on.
I opened the results image in another tab and noticed something
“wp” stands for “wordpress,” a Content Management System(CMS) and I am aware that it is not very secure. Hey! i am not saying wordpress is not secure, everything on the internet is not, and wordpress sites were just recently targeted by hackers in 2022. More information on that is available here.
So I used wappalyzer to examine the version and other technologies the site was utilizing. I noticed that it is not utilizing the most recent wordpress version.
That was the thing that prompted me to use WPScan and scan the entire site. If you don’t know what WPScan is you check this blog
while wpscan was performing its task I was growing increasingly inquisitive about the website. So, I performed a sub-domain enumeration using assetfinder.
I discovered more than 50 subdomains, although not all of them were particularly intriguing. I chose two subdomains that were informative, fascinating, and directly linked to the main website. One of them used an extremely outdated and SSL certificate not enabled vulnerable version of WordPress, and the other included a particular php script to check school student’s entrance results. Now that the wpscan has completed its task, it is time to review the results.
I will summaries what i found from that scan:
Upload directory has listing enabled
Default wp admin portal
Version Vulnerable to Unauthenticated Blind SSRF via DNS Rebinding
This was quite a bit, so I took another subdomain and gave wpscan another chance to work its magic.
While tinkering, I came upon a form for online admission that required the upload of two files: a voucher and an image file. I remembered about the file upload vulnerability. Anyone interested in learning more about it can do so here.
I tried to see whether there were any client-side validations by inserting a php-reverse-shell, but funny enough, it didn’t have any either. However, I refrained from uploading it since I did not request that the website be pentested and I did not want to go to jail. But this is a possible file upload vulnerability or maybe RCE via it.
Once Wpscan is done, it is time to review the results once more. I’ll restate what I learned from that outcome:
WordPress version 5.4.12 identified
Unauthenticated Blind SSRF via DNS Rebinding
Authenticated Stored Cross-Site Scripting (XSS) (via Vulnerable Plugin)
Damn I discovered a ton of weaknesses and vulnerabilities, but once again, I haven’t used any of them for personal advantage because I didn’t want to get caught. The only thing left to examine is the php script on a different subdomain. To determine if a student had passed or failed, it required a roll number as an input. Fine enough, but now I think about SQL Injection, I started up my Burpsuite Community Edition. Poor me, and when I put a simple ’ on the symbolno parameter, oh my goodness, I received an unexpected result.
The error is saying me that it is expecting something else and i am feeding it something else.
Now that I know it is vulnerable to SQL injection, I can be even more certain by performing some manual exploitation to see if I can actually dump the database or not, but I was so curious, and I also know how manual things work, that I figured why not use an automated tool to see the results faster hehe. Then I launched sqlmap, saved the request, and entered the following command:
sqlmap -r sqli.txt -p symbolno --dbsIf I can see the databases, it follows that I can dump them as well. That’s why I only used — dbs. After some time, I received my long-awaited results, and here is proof.
I have successfully exploited the vulnerability and proved that i can read the databases. Also a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete) which means i can change the status from Failed to Pass and Pass to Fail haha. So this concludes that i actually hacked my college website right?
After this i wrote an email including all of the vulnerabilities, screenshots, detailed way how an attacker can actually use these flaws and how we can fix them.
This was my first bug i do not know if they will give me $$$ as reward hahaha to be honest i am not expecting anything from them i am just happy that i found my first bug and can’t wait to find more and more.
I’ll conclude this discussion right here. Once more, happy new year to all of you. May God bless you all with good health, wealth, and prosperity this year.
Keep hacking keep learning. ❤
