A Critical Vulnerability leads me to takeover the College Website !

How I hacked into a College Database

Most of the college have this policy that in the very beginning of the college they assign students username and password to login to an online portal that has their data, like their name, registration numbers, parent’s name, their phone numbers, social security number (Aadhaar number), etc.

Breaking down the Hack

As bored as I was I thought let’s try Google dorking on some college websites ,So I created a random parameters list. Now i created a list and started recon and automation . so as to check if it runs fine. I started the attack and in a minute voila!With this I came to know that the Id parameter is vulnerable to Time-Based SQLi attack BOOM! that would have given me access to the data in the most easiest way possible

https://www.redacted.com/page.php?id=1

Carrying out the hack

So, in the beginning I manually entered SQL queries to bypass the security. This had a whole different level of high as bypassing this security I got access to some really personal data regarding the students and not just that their was data even about their respective guardians.