How I Hacked My School Website (And Reported It!)

credit DALL-E

Yo, what’s up? ChrolloD here. So, this is a quick write-up on how I hacked my school’s website one random afternoon. Turns out, they had a classic error-based SQL injection vulnerability, and with just a few queries, I could pull student data, fee payments, transaction IDs, and more!

This is for educational purposes only! The goal is to spread awareness about web security and the importance of ethical hacking. Always stay legal and use your skills for good!

This was the input field where students enter their admission number to check their fee status. The site would then fetch details from the database and display them.

First, I did a simple test by entering an apostrophe (‘), and BAM — the site threw an SQL error. Classic rookie mistake in web security. No surprises there. So, I tried this query:

‘ OR 1=1 GROUP BY CONCAT_WS(‘-’,database(),FLOOR(rand(0)*2)) having min(0)#

And guess what? It revealed the database name.

(redacted due to sensitive info)

Once I had the database name, I moved on to fetching table names:

‘ OR 1=1 GROUP BY CONCAT_WS(‘-’,(SELECT table name FROM information_schema.tables WHERE table_schema=’nameofthedatabase!' LIMIT 3,1),FLOOR(rand(0)*2)) having min(0)#

shocked!!!

Well this is where I was shocked because I thought this database will be having some data related to fee and name of the student and things like that, which they display in the website when you enter your admission number but It was containing more than that. “I mean MORE THAN THAT”

(redacted due to sensitive info)

At this point, I knew I had to do the right thing. As a responsible security researcher, I stopped digging and wrote a detailed report explaining the vulnerability and sent it to the institution.

“ I am writing this now because they have resolved this bug and I wanted make an awareness about this kind of serious vulnerabilities which exist in web application.”

Always practice responsible disclosure. Finding a vulnerability doesn’t mean you should exploit it.Web security is no joke. Even a simple SQLi can expose tons of sensitive data.If you’re into hacking, go ethical! Bug bounties, security research, and CTFs are the way to go.

Always practice ethical disclosure and never exploit the vulnerabilities you find for malicious purposes.

Hacking your school’s website might sound like something out of a movie, but trust me — it’s very real. Stay ethical, stay curious, and keep learning.

That’s it for now. Hack for good. See ya! 😎

— ChrolloD (Jithendhriyen)