In October 2016, I discovered serious vulnerabilities in my college’s internal website. Bugs were related to bypassing administrator privileges, Insecure direct object references (IDOR) and SQL injection that could lead to sensitive information leakage.

These were very straightforward to find. Upon examining the URL, I discovered that ID parameter was vulenerable to SQLi. Also, by changing the EnrollNo column name, I was able to access the photos and information of other students and teachers.

URL was something like this:

www.website.com/ritcloud/StudentPhoto.ashx?ID=SELECT%20Photo%20FROM%20StudMstAll%20WHERE%20EnrollNo%20=%20%271303052%27

After applying URL decoding, it looks like this:

www.website.com/ritcloud/StudentPhoto.ashx?ID=SELECT Photo FROM StudMstAll WHERE EnrollNo = ‘1303052’

Initially, I was unsure about proceeding with the test, but after receiving approval from my teacher, I gained confidence and began exploring. Through my evaluation, I discovered several mentioned vulnerabilities and documented my findings in a proof of concept. I also had a fun time writing a Python script that automated the downloading of photos and information for the entire college, which I called, hackRIT.

After sending an email with script and proof of concept to our network administrator, I didn’t receive a reply for a month. Then one random day, I eventually received a call asking about the report, and I was happy to check additional potential risks with them.

Eventually, looks like they fixed the bugs last month and I wanted to share my experience in the hope of promoting responsible and ethical security practices.