Pro Hack

Hackable Government and Educational Websites - what were they thinking..?

Recently I got  an email saying that 855 crores of money is spent on ministers who do nothing (except for fighting for power that is) and much of it is true. Government is taking lone from UN for its concerns and precious resources are  wasted on old whimpering scrooges who rule the holy land. No..I m not pissed off much. not much, but what really pisses me off is the quality of government websites in India. Tell me any .gov.in portal which is secure and I will stop blogging. There has been quite a peculiar scenario going on with the security scene in India. A cyber coldwar is going on with Pakistan and China as of now with defacing going on from both sides with no sweat and concerns. I don't blame any one for this,its natural if you find a vulnerability in a website (or in general,anything), you will be especially tempted to exploit it. What concerns me that the websites of government officials, bollywood stars, educational websites are quite hackable and NOONE is concerned about them. Then there comes media paparazzi and the spiced up news channels exaggerating everything to himalayan proportions. And then every script kiddie becomes a hacker, not by his hack, but by the media.

The story goes on..

Why not to start from my University website – www.ptu.ac.in  the old web portal was recently revamped and broken into multiple parts, with www.ptuexam.com responsible for storing the data of students. This DOT NET based website is quite insecure and even was near defaced recently and even an old veteran once commented on the status of website. I on  a lazy Saturday morning was trying to see my result when I got interested in the structure of website. “Poorly scripted” and “insecure” were the first words that blurted out from my mind.

 
The login is given in the front with some interesting URL patterns. I decided to get my hands dirty and inspected the site by creating an error. It gave me a 404 error and I was able to deduce the server was a Microsoft one.Later I tried injecting “ asdx” ’” into username and password fields of form and I got a database error. Its vulnerable to SQL injections. I found an interesting URL -

http://www.ptuexam.com/Enquiry/WebMas_Adm_UniAdmProfile.asp?AdmID=

and upon experimenting I got multiple column names and usernames.



I was even able to get server configuration,database names (500+ databases),table names and column names…

Microsoft SQL Server 2005 - 9.00.4053.00 (X64) May 26 2009 14:13:01 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition (64-bit) on Windows NT 5.2 (Build 3790: Service Pack 2)
E555802-130167

And then..I got this..

 
I got a username and password to login into the site..Just WHAT WERE THEY THINKING ?!!!! Also If one can try a bit harder once can *easily* gain Admin access to PTU website and wreak havoc. No..I didn't hack it.But I was tempted to,I had all the data. I m not  blackhat,but I m not a whitehat either. I idolize the_ut as my hero, his knowledge,ideology about the scene and his style,but hold him in contempt for his love for pure destruction.

Big question – why is it insecure ?
 
Bigger question – what if a capable hacker defaces it,drops all the tables there and plays with the future of students ?

*update* - Officials at PTU contacted me and their administrator met me personally. They had a look at all the findings and loopholes which I found and discussed to make a move at opensource . Looks like a nice start to me. Rest we shall see where it all goes . Greets go to Samandeep, Mr Amarjit Singh who did their best.

And this is only the beginning..Many University sites,government sites are easily hackable. Why don't they secure them is unanswered. The worst part is that all the so called Hacking Academies and Institutes which are teaching the basics of hacking make students practice on them. The vulnerable sites ? Lets have a look at them -


 




 
 
 
 
Frankly speaking..Any sufficiently experienced technology enthusiastic can hack these websites in minutes. The security is zero and that's why we are behind in cyber subculture today. Folks..its time to wake up and make our sysadmins realize that the cyber scenario is quite advanced today and we are no match for the upcoming competition. We just cant let others to deface our resources, cant let them play with our future.
Time to get better and buckle up before someone performs a rm-rf on us. 

Hackers are here..Where are you ?

POSTED BY XERO ALL RIGHTS RESERVED.