I can’t thank you enough for the great response you people gave on my first article. This encourages me to write more of these, at least I know I am helping out many of you. 😘
If you haven’t read the first time I hacked into the website, read it here.
There is something interesting all down the page, don’t forget to see that. 😛
Hacking Linways College Portal Again
Hacking the same old website again isn’t a fascinating thing. You already took a deep dive into the website and hardly came up with one or two bugs. Once its resolved, you would never feel like giving a shot back right?
The same was my scenario. Last time, When I was told the issue was fixed, I did immediately make sure that they fixed it, and I never went back to it for many months. Until I noticed it just now.
Previous Hack Explained (December 28, 2019)
In simple words, there was a page that had upload form to upload or delete our profile image.
Due to poor coding logic, their deletion part of an image went wrong.
- They never check if they were deleting an image (.png, .jpg or any image), not even by file extension
- It took a relative path in the directory, which is not at all constrained.
- Allowing me delete any files navigated on the server.
Vulnerable link: https://tkmce.linways.com/student/student_details/removesignimage.php?imgurl=../image.png My Altered link: https://tkmce.linways.com/student/student_details/removesignimage.php?imgurl=../../student.php
Any Idea of how to solve this? It’s simple, Remove the remove photo feature itself. 😂The good old Linways!
Yes, that’s exactly what they did. I died out laughing when I saw that.
Todays Hack Explained (May 08, 2020)
I went out to explore the Linways college portal again, to my surprise within a span of just 30 minutes I found the bug. THE SAME BUG.
If you try to add a profile picture and delete it, two parameters in the form changes – ‘removeProfilePhoto = true‘ and ‘photoimage = ../image.png’.
You know the rest of the story.
Using Burp, I changed the value to ‘…/student.php‘ and deleted the main student’s login page (I know, I should have deleted the faculties page 😂 Damn their assignments).
The page got deleted and I made sure It not just for me.
I waited for 20 mins so that everyone could take a look and be happy. 😛
I got zero response from Linways, as they silently fixed the bug without even thanking me.
At least now they have kept the logs working to monitor my requests and get to know how am I exactly pulling off this vulnerability. Great job 😉
Playing more with Linways Portal!
There are lots of things you can do and learn to code, and a bit of hacking from all these experiments.
I made EazyCampus, as you all know by now to automatically fetch for the attendance and marks over their website faster and better presentable UI.
Now as you all know, our college portal has a parent login system that has a similar arrangement. You can now Bruteforce and automate logging into each and every student account.
What details can you acquire?
- Personal details like name, admission no, photo, batch, branch, blood group, mail.id, phone no, parent’s details, home address, gender, gender, age, and more
- Attendance and Marks (who needs that 😂)
I wrote a simple python script that does this.
Thanks to their high-speed servers, in just 1 hour I could extract the entire Linways/TKMCE students’ details, which is full details of 4095 students.
Now I can easily search for any student from my college with an SQL query.
-> SELECT * FROM student_details WHERE NAME LIKE '%SREEKANT%';
To make this even interesting, I can use this whole set of data and plot a map of students coming from different parts of Kerala.
Wait.. why don’t I make a TKMCE Family collage ❤️
Here is the output of 2078 students collage. Try to find yourself in here 😁