How I found an interesting loophole in my college results website?
This article explains how and why I was able to hack my college results database and was able to view them before they even get published.
In my college, the results are made available to the students who have cleared all their hostel dues in time. So, if you are a hosteller and you haven’t cleared your dues then you won’t be able to get to know you results in time. You need to wait until the memos come out. This led me to start moving my thoughts towards finding a loop hole in my colleges results website.
This was my 1st year second semester days, first semester results were out and many hostelers were unable to get their results from the website,(because of the obvious ‘‘Mess Due’’ reason). So my friend Rahul is one such victim. So I am as excited as him to know his result😅. So I was scrolling through the backend code of the website to make some XSS attacks. But it's just useless.
The later day, our examination branch started distributing the Memos to the students who have cleared their pending dues. I got hands-on my Memo, As it was my first memo of the college, I was quite excited and started keenly observing the memo appearance(🤷♂️ standard geeky way).
So, I came across these two things which I am really curious about. In the next minute, I started scanning the barcode and QR. The QR given here is to verify the originality of the memo, which basically gives a web-link to the website that gives all details about the memo including your score. This is where I got my confidence back 😉.
So this is how the scanned result of QR looks like
https://results.jntuhceh.ac.in/verify/memo/44f7cd44c8e07ff6d93846fd5fac17411084fc695eecaeb8f0dc3a63c9662f85Within my first glance, I found that the thing at the end of the link is some kind of hash.🤔
44f7cd44c8e07ff6d93846fd5fac17411084fc695eecaeb8f0dc3a63c9662f85Later after Googling about types of hashes available, I found that this hash is basically SHA 256.
A hash function is a function that takes an input and produces a value of fixed size. In layman terms, it basically converts the given data into a different format by making it random (into a specified number of characters). Which basically is irreversible.
But there are few websites that can reverse these hashes based on the leaked databases online. Luckily, after further Googling, I found this website that was able to reverse that SHA 256 hash.
After reversing I got this as a result
111251This is quite similar to what I got by scanning the Barcode given on the memo beside QR code.
Later I have added 2 to that memo number and generated the corresponding hash for 111253. And it looks like this,
04af7999888ebae7cc5bb6da8d87030204266b1b45a7994301afe5bdfb6a03e5Next, I replaced the old hash in the link with the new hash
https://results.jntuhceh.ac.in/verify/memo/04af7999888ebae7cc5bb6da8d87030204266b1b45a7994301afe5bdfb6a03e5And Boom 🎉 this link gave the result of my friend whose roll number is 2 steps away from my roll number.
This allowed me to crack the whole backend structure of the database 😜 and thus was able to get the result of everyone irrespective of the dues.🕺
This talk spread over the college like wildfire and rest is history ✌.
Thanks to Quarantine, this is my first article on Medium 😁.
Check out my website to know more about me and my other projects
Hope you have enjoyed reading this article 😃 . If yes, try reading my other articles.
