I HAVE NOT HACKED ANY OF THE SITES AND THE DATABASE,JUST TESTED THEM FOR VULNERABILITIES. I TESTED THEM AND FOUND ERRORS WHICH MAY/MAY NOT BE DISCLOSED HERE AND IN NO WAY ANY ONE CAN SUE ME FOR THIS AS I DID AND MEANT NO HARM TO THE DATA OF CONCERNED ORGANIZATIONS.BY READING THIS ARTICLE YOU AGREE WITH THE DISCLAIMER.
IF YOU AGREE WITH THIS AGREEMENT,CONTINUE READING ELSE IMMEDIATELY LEAVE THIS WEBSITE.
The story goes on..
Why not to start from my University website – www.ptu.ac.in the old web portal was recently revamped and broken into multiple parts, with www.ptuexam.com responsible for storing the data of students. This DOT NET based website is quite insecure and even was near defaced recently and even an old veteran once commented on the status of website. I on a lazy Saturday morning was trying to see my result when I got interested in the structure of website. “Poorly scripted” and “insecure” were the first words that blurted out from my mind.
The login is given in the front with some interesting URL patterns. I decided to get my hands dirty and inspected the site by creating an error. It gave me a 404 error and I was able to deduce the server was a Microsoft one.Later I tried injecting “ asdx” ’” into username and password fields of form and I got a database error. Its vulnerable to SQL injections. I found an interesting URL -
http://www.ptuexam.com/Enquiry/WebMas_Adm_UniAdmProfile.asp?AdmID=and upon experimenting I got multiple column names and usernames.
I was even able to get server configuration,database names (500+ databases),table names and column names…
Microsoft SQL Server 2005 - 9.00.4053.00 (X64) May 26 2009 14:13:01 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition (64-bit) on Windows NT 5.2 (Build 3790: Service Pack 2)And then..I got this..
I got a username and password to login into the site..Just WHAT WERE THEY THINKING ?!!!! Also If one can try a bit harder once can *easily* gain Admin access to PTU website and wreak havoc. No..I didn't hack it.But I was tempted to,I had all the data. I m not blackhat,but I m not a whitehat either. I idolize the_ut as my hero, his knowledge,ideology about the scene and his style,but hold him in contempt for his love for pure destruction.
Big question – why is it insecure ?
Bigger question – what if a capable hacker defaces it,drops all the tables there and plays with the future of students ?
*update* - Officials at PTU contacted me and their administrator met me personally. They had a look at all the findings and loopholes which I found and discussed to make a move at opensource . Looks like a nice start to me. Rest we shall see where it all goes . Greets go to Samandeep, Mr Amarjit Singh who did their best.
And this is only the beginning..Many University sites,government sites are easily hackable. Why don't they secure them is unanswered. The worst part is that all the so called Hacking Academies and Institutes which are teaching the basics of hacking make students practice on them. The vulnerable sites ? Lets have a look at them -
NIT Kurukshetra Website
FIITJEE website is another offender
Seshadripuram Law college website and the trust’s website
NISCAIR website…this one was even on youtube once
Zee news Noida
National Assessment and Accreditation Council of INDIA
93.5 red fm was virtually digitally raped before its overhaul..still not very safe
Official site of Dino Morea and site and even more..Frankly speaking..Any sufficiently experienced technology enthusiastic can hack these websites in minutes. The security is zero and that's why we are behind in cyber subculture today. Folks..its time to wake up and make our sysadmins realize that the cyber scenario is quite advanced today and we are no match for the upcoming competition. We just cant let others to deface our resources, cant let them play with our future.
Time to get better and buckle up before someone performs a rm-rf on us.
Hackers are here..Where are you ?
POSTED BY XERO ALL RIGHTS RESERVED.