
Student hacks high school software and finds “SQL injections galore” - GiulioS
https://secalerts.co/article/student-hacks-school-software-and-finds-sql-injections-galore/5cf2e72f
======
michaelmcmillan
Some friends and I hacked Blackboard last year. We exploited it by smuggling
null bytes (0x00) via. their WebDAV protocol.

This made it possible to hijack other accounts, including our professors'. So
we hacked our own grades and then reported it. Luckily we didn't suffer the
same fate as Demirkapi.

Blog post here: [https://bustbyte.no/blog/how-we-hacked-blackboard-and-
change...](https://bustbyte.no/blog/how-we-hacked-blackboard-and-changed-our-
grades)

~~~
anaphor
I remember finding XSS and XSRF bugs in one of their things like 9 years ago.
I'm not surprised it still sucks.

I posted it on the full disclosure mailing list, and IIRC they ignored it as
far as I could tell. This was back in 2010.

(And before I get flak for not notifying them before disclosing it, I was a
teenager and I wouldn't do it that way now)

~~~
Rychard
I reported a vulnerability in blackboard when I was in college (around the
same time period as you).

I don't recall any sort of disclosure mailing list, and the only contact link
I found seemingly went through my college's IT department. Whether my
university had applied some customization, or whether it was just me being a
young college student, I'm not sure.

Anyways, a few days after I had reported the vulnerability, I was summoned to
a meeting where I found myself sitting at a table opposite my academic
advisor, as well as the Department Chair of the CS department, where they
began to speak to me about "academic integrity".

I'm glad the story mostly ends there, as during this meeting I realized what
had _actually_ happened; someone in the IT department had misinterpreted my
report as some sort of hacking threat, and they had "tracked me down on the
university network", which makes no sense because I had reported the
vulnerability via email directly from my .edu address.

While I wasn't exactly well-liked among the professors in the CS department,
the department chair at least recognized that it was a big misunderstanding,
that I wasn't doing anything nefarious, and had been acting in good faith.

After that meeting, I had approximately zero interest in disclosing
vulnerabilities of any sort, for fear of being on the hook if/when they were
ever exploited.

~~~
tastroder
> I don't recall any sort of disclosure mailing list,

fyi, your parent post referred to [1] here. Glad nothing too bad came of your
disclosure.

[1]
[https://seclists.org/fulldisclosure/](https://seclists.org/fulldisclosure/)

------
overcast
I'm confident that if you poked around the software of the vast majority of
organizations in this world, you'd find "SQL injections galore". There is just
limitless amounts of old code that no one has the resources to address. Should
the information on students be well protected? Of course. Have you ever seen
the software running your local dentist, doctor, insurance office? It's just
impossible to spend money and fix things that already work.

~~~
bluedino
We have about 200,000 lines of code that look like this:

    
    
        250:             Let strsql = "Update TbfFileManagementSystem Set FileName = replace(FileName,'" & Me![PONumber].OldValue & "','" & Me![PONumber] & "')" & _
        " Where FileID = '" & strFileID & "';"
        260:             mdb.Execute (strsql)

~~~
radicalbyte
Insert a line of code before that statement which validates that the variable
is an integer and you're sorted. As an added bonus, check that it's in range.

~~~
mirashii
Please don't. Use placeholders and the DB's prepared statements API
_everywhere_. Manual escaping and validation is a recipe for disaster.

~~~
radicalbyte
Absolutely - that is the desired end state.

In some languages migrating to the prepared statement API can be a
considerable amount of work and that takes a lot of time.

If the code is mainly made up of queries with an integer ID then you can make
the code safe using guards with a fraction of the effort meaning that your
software is stable faster. Then you can take your time rewriting your data
access layer to use the safe-by-design APIs.

I should have made that clear in my original post :)

BTW at some point you might need to get into escaping / validation to support
operations not supported by the safe APIs. If/when you encounter this it's a
massive red flag. Your system design should reflect that. It should be treated
like radioactive waste: be paranoid.

------
toomanybeersies
Me and my friends had a lot of fun hacking into our school IT systems in high
school. We took security as a challenge, not as a warning.

At various points, we had a shared file server for sharing movies and music
for the whole school, bypassed the proxy (which also gave us a vastly improved
connection speed), had Unreal Tournament 99 on the computers (this was ~2010,
but it was one of the only games that would play well), we figured out how to
send messages to all computers (using Novell Zenworks or something), and
eventually a few of us just had full root access to the entire system. We also
had lots of fun with fork bombs, setting peoples desktops to porn (we weren't
meant to be able to change our desktop but there were workarounds), and the
occasional broadcast storm.

If only we had known about bitcoin at the time, we'd have become rich running
a mining network on the school computers.

Luckily, our school had a very relaxed attitude to our shenanigans. We
generally avoided doing anything actively harmful and we also got a few free
passes by helping the IT staff when they had problems (they were useless at
their job).

~~~
hermitdev
When I was in junior high, circa mid 90s, I hade full control of my school's
network. Was Novell Netware based, DOS only. Menu was meant to restrict what
apps we could run to only those in the menu. Found an "exploit" in WordPerfect
in that you could launch WP, hit a function key to launch a limited command
prompt, but on exiting WP, it would crash, returning to a full command prompt.
Being basically DOS 6.x, there was no further permissions at that point. I was
friendly with the IT admin, so I always let him know when I stumbled into
something (I also had about a half dozen admin accounts hidden). I had the
ability to chamge grades, impersonate teachers and send messages as a teacher,
but never abused my acceas. I did get suspended for a week after a network
crash (likely caused by a failed disk) that I had nothing to do with.

My parents asked me point blank if I'd done and if I knew how to do it, or
which I honestly replied no to both. That was when I got my first C++ book. My
parents were like "if you got suspended for something you didnt do, you're
sure as fuck going to learn how to do it."

~~~
pixl97
Heh, this sounds like my high school experience.

Many teachers left the default password on their accounts. Was messing in the
interface that I didn't understand very much and sent a broadcast message to
the entire network. One by one they started beeping and displaying a blank
message notification across all the computer labs in the school. Luckily I had
some opsec at that age and didn't do it on the workstation I was assigned to.
Logged out and quickly went back to my seat in the confusion that quickly
spread in our class.

Wasn't till 2 years later that I got in trouble and got kicked off the
computers for a month. For having a shareware game on the network. The network
admin said something to the effect of "We are pretty certain you have done a
lot of things far worse than this, but we can't pin any of them to you, so
this is what you get punished for", and well, he was right.

~~~
hermitdev
Yeah, I didnt start cracking passwords until I was in college - I didnt need
to. When in junior high, the IT admin would kick off a tape back up of the
network, and stay logged in. Id wait until later, like 6pm-7pm and dial into
his computer (his computer had a connected modem that accepted inbound
connections with no username/password), do my thing, then restart the backup
before I was for the night, so he wouldn't notice in the morning. Never did
anythinf destructive, but I did have about 6 bogus accounts with full admin
access. Kept those accounts to myself, lest they grt discovered. They never
did... He left around my freshman year of high school. Didn't trust his
replacement, so kept my lips shut about the access I had. Graduated with
nearly all of my accounts with admin access intact.

In college, had to crack some passwords. Turns out all of the lab computers,
the admin password of all NT lab Pcs was a 5 character building abbreviation +
room number of where campus IT was based... I was expecting the crack to run
overnight on my then 500 Mhz P3. The password was cracked before I could stand
up to go to dinner. Last cracked passwords on my old XP laptop, that I
couldn't remember the password to. Hard part is getting the unencrypted
password file (since I think Win2k, Windows encrypts the SAM file on disk and
exclusively locks the file while the OS is running), but if you can run
something with system authority, you can inject a dll and extract the
decrypted file. You still have to brute force the NTLM hashes after that, but
on modern hardware, takes just a few mins. Back in the NT 4 days, at least the
way our comouters were configured, nonadmins had write permissions to
everything under c:\Windows. Easy way to get system? Replace the default
screen saver with a copy of cmd.exe, then log out and wait for the logon
screen saver to fire. Back in the day, screen savers ran as system. They dont
any longer.

On the NT 4 boxes, I was able to script everything. Pop in a bootable floppy
with the script and an NTFS driver, reboot, wait for the script to complete,
having copied the SAM file, then reboot again and back to normal. Walk back to
my dorm room, crack at will.

------
sergioj97
I had a similar experience being 13, but luckily for me it only involved my
own highschool website and data. I found a blind sql injection and got access
to the credentials of any user. I wasn't a particularly mature 13 y/o so I
started messing around.

My highschool reported the incidents and I got caught in a few weeks. I almost
went to trial, my hard drive with my StarCraftII campaign almost finished was
confiscated (I haven't seen it again since that moment) and it was overall an
instructing episode. It didn't go any further because my parents had good
relations with the highschool's direction and they withdrawed the report as
soon as they knew it was me.

In the following years I kept in contact with the webmaster and I remember
feeling very encouraged to report any other flaw I could find to him. I found
a few more things over the years, but most importantly learned a lot.

Every time I read news like this I remember how grateful I felt when my
highschool not only forgave me but also helped me keep learning. I believe it
can make a difference, and even more so when dealing with younger kids.

~~~
earthboundkid
Yeah, it’s cliche but for kids, the quote they “were so preoccupied with
whether or not they could, they didn’t stop to think if they should” really
applies. You’re smart enough to hack the system but not smart enough to know
that it’s a really bad idea.

------
vezycash
>Demirkapi passed on his findings to his school's IT department. However, it
ended up being viewed by every school in his district and he was suspended
from school for two days.

~~~
pknopf
Lesson learned.

Keep vulnerabilities to your self.

~~~
colechristensen
Meh, anyone who knows anything would look very positively on a kid who had the
curiosity and ability to do that and suffered ridiculous consequences. The
suspension is a badge of honor, a great story, and generally a life long
benefit.

When I was in high school a few of us grabbed passwords from unencrypted
wifi/network protocols (maybe it was POP3 logins, I don't remember) and
"reported" it with some harmless website defacing, telling the admin (who was
a cool guy). Nothing happened and I don't think anyone ever even noticed.

~~~
busterarm
Funny,

I was nearly expelled from my high school for finding and immediately
reporting a vulnerability, without having actually exploited it. Also my story
is far too common. Most of the people in charge don't know anything!

Many of us in the industry who have been around the block a few times support
either selling your exploits or open disclosure. We have our reasons.

~~~
leeter
I had a friend that noticed some really nasty vulns in his college's software
(passwords in plaintext in the page, and the reset question and answer). I
coached him how to very carefully report them and he had some help from
family. But given that the uni takes federal funding he could have easily
landed a federal felony for just reporting, and all he did was do view source
on the page.

------
notacoward
I live in the town where this happened. A lot of us parents already hated the
software involved. On the other hand, it's not clear that alternatives would
fare any better. In my experience, software specific to non-technical orgs
like schools or doctors' offices is uniformly terrible not just in terms of
security but all over. I wouldn't be at all surprised if competitors' software
was even worse. Such is the state of the world.

~~~
_bxg1
Makes one wonder if there's a market opportunity

~~~
notacoward
There are many. Unfortunately both the domain-knowledge requirement and
switching costs are very high. It's hard for a newcomer to break in, and once
they have there's little incentive to keep updating the product. The result is
a succession of companies and products that were probably fine for the time
when they were introduced, but quickly seem dated as the rest of the industry
evolves.

The other alternative is open source. Lower the initial cost of entry,
amortize the cost of maintaining and enhancing core components, and let
vendors compete on the basis of what they can offer on top of that.
Unfortunately, this approach yields much lower margins than what "vertical"
software vendors are used to, so they'll fight any such thing tooth and nail.
That gets us into the domain of trusts, cartels, and regulatory capture. The
business factors preclude technical solutions, and users pay the price. :(

~~~
dole
Keeping up annually with federal and individual state education reporting
regulations is a severe PitA. The Texas Board of Ed itself is a monster of a
bureaucracy compared to some other states.

------
waterhouse
Blackboard. Ha ha ha. Blackboard.

When I was in school, there was a vulnerability where you could reach courses
that you didn't belong to, simply by changing the id in the URL. A couple of
students got punished (banned from school computers for months) for exploiting
this (to leave a message on said courses). As of a year later, the
vulnerability was still not fixed (although the messaging infrastructure was
disabled).

~~~
na85
Heh. When I was in school (maybe dating myself here), there was a blanket
prohibition on accessing "DOS Screens" because the total morons that ran the
school's IT department couldn't lock it down and someone sent a bunch of popup
messages to the entire campus using _net send_.

~~~
wlesieutre
A friend of mine got hassled in the high school computer lab for being in
cpanel for his personal website. Apparently it looked scary.

Security on the old Macs was hilarious though - the student user accounts had
a limited set of applications they were allowed to launch, but it was only
enforced via Finder checking when you double clicked it.

There were so many other ways to launch things. Custom buttons in AppleWorks
toolbars, AppleScript, dragging it into Safari and then opening it from the
downloads manager, and setting the creator code to match any application you
had permission for were convenient options.

Don't have access to run Script Editor? That's ok, type applescript: into
Safari's URL bar and it'll pop right up.

------
brokentone
That correlation is very frustrating -- people should take this more
seriously, but those who discover things are punished... should be pretty
obvious why security is way it is, right?

------
gjsman-1000
True story: I inadvertently hacked the Smart TVs at my college once. They are
typically always showing announcements, and they let student clubs post
messages with the approval of Student Life.

Well, after a software update, nobody noticed that the permissions system for
the TV was disabled. So I come along, a few weeks/months/? later and make an
ad for Math Club, and it went live immediately. No Student Life approval.

Of course, this isn't a glamorous bug. Briefly thought, "Man, if I was a bad
guy, I'd totally post some really _shocking_ material." I wasn't a bad guy
though, told Student Life, and they fixed it.

EDIT: There is a shared account detailed in the Club manual on how to create a
TV ad (for context).

------
smarks
An article with more details is here:

[https://www.vice.com/en_us/article/59nzjz/teen-security-
rese...](https://www.vice.com/en_us/article/59nzjz/teen-security-researcher-
bill-demirkapi-suspended-for-exposing-vulnerabilities)

This article has more details about the reasons Demirkapi was suspended.
Apparently he first tried to contact Follett (the software maker) directly,
but they ignored him. He then tried to use the software itself to send a
message Follett, but the message was instead broadcast to a large number of
parents, teachers, and administrators across the district. This does seem
pretty irresponsible, and Demirkapi said he understood the reason for his
suspension.

Thus, this doesn't seem like the usual "person reports vulnerability and is
punished for it" story.

Of course the ultimate responsibility lies with the software makers who have
these vulnerabilities in their software and who don't respond when someone
reports them.

------
ch_123
I'm genuinely surprised this didn't result in his expulsion, knowing how these
kinds of stories usually go down.

~~~
lucb1e
I think your "usually" is heavily biased by media stories, which of course
report only the exceptional, otherwise it wouldn't be news.

I've reported vulns in school before and got an unexpected bug bounty. I also
abused vulns to put games on a school server when I was younger and that time
I got a firm talking to. I also know someone and their friend who were around
18 at the time and stole a teacher's password (don't remember how, but nothing
clever) and changed some grades of theirs. They were indeed suspended.

------
dawnerd
This was the case when I was in school too. (Gesh, it's been that long
already?!).

I bet most schools are in a similar situation. Lack of a proper budget,
cheaply made software sold by shady vendors, IT staff that isn't properly
trained, etc.

------
dbg31415
This kid seems a lot more responsible than I was when I was in high school.

Taking about manipulating the URL parameters... yeah, I used that trick to
apply discount codes way back in the day. The web form wouldn't accept them,
but if you bolted them on to the URL after that step in the checkout process,
they'd blindly get applied to your cart anyway. Found one for like 95% off a
CD, and used it on a laptop at BestBuy. 15 year-old me thought he was really
smart, but mostly he was just a vandal and a thief.

Best line:

> "Don't fall for marketing. Just because (vendors) say they take care of data
> doesn't mean they do."

------
jsvcycling
A good friend of mine got suspended for a semester after he found a pretty
trivial flaw in his university's password reset form that would ultimately
allow him to reset the password of anyone who had an account on the school's
network including faculty and administrators. IT discovered him, locked him
out of the network before he was able to report it, and threatened to take
legal action. From what I've heard, they never fully fixed it. He went to a
technology university mind you.

~~~
Kirby64
I found a blind SQL injection in my university course management system.
Probably could have dropped the entire campus course list... but I didn't try.
Found it at ~2-3AM, and so figured I'd bother IT in the morning. Woke up to a
locked account and a message from the dean of students to pay him a visit.

I got off with some stupid fine and my online access being locked for 30 days.
Was pretty annoying though, because they counted the 30 days only during when
school was in semester. I happened to be doing this the final day of the
semester... so that 30 days ended up being a lot longer.

------
kccqzy
I found the same thing in high school. Except that I didn't tell anyone, and
it was fixed after a few months. I guess someone was looking at request logs
after all.

------
iMage
As a current high school student I know that my school's software has similar
weaknesses. I talked to our IT "department" (we only have one active person
that I know of) and he said the district does not really have anywhere to
bring up the issue.

------
BiTSHiFT91
My school (biggest school in Germany in the time) had VNC Server running on
all PCs, so the teachers could check what there students where doing. Surely
enough they used the same password on every single PC in the whole school. Fun
times.

------
LibTigh12
For a 17 year old, that is brilliant. But he has to look after himself because
obesity problems create bigger problems. You can not spend so much time in
front of a computer. Take a walk. Do some sports. You can be a good hacker
too. Peace man. [https://www.wired.com/story/teen-hacker-school-software-
blac...](https://www.wired.com/story/teen-hacker-school-software-blackboard-
follett/)

------
imagetic
This was the case for blackboard in 2006. I see they haven't improved at all.

------
davrosthedalek
Bobby Tables, please report! [https://xkcd.com/327/](https://xkcd.com/327/)

