This is my first article, so please forgive me if I made any mistakes.๐Ÿ™

Sorry, I forgot to introduce myself. My name is Sondip Day Shuvo, and I am a BSc in Computer Science and Engineering (CSE) student from Bangladesh.

Lets start,

I was searching for new things on Exploit-DB, but I couldn't find anything interesting. At that time, I found some Google Docs that helped me search websites more efficiently.

Like: site,inurl,etc

At that time, I discovered the website of an Indian government university. They did not have a direct login page, but when I fuzzed the website using a fuzzing tool, it revealed several hidden URLs.

When I discovered the admin login panel, I first attempted to log in using a normal username and password, but it didn't work. Then I tried several SQL injection techniques, but they also failed. After modifying the input slightly, it finally worked.

' 1=1#

' 1=1โ€Šโ€”

After that, I gained administrative access and was able to modify or remove information on the website. The system contained data for about 72,560 students, and I could view sensitive information such as Aadhaar numbers (national ID), names, university forms, and phone numbers.

I also discovered an XSS vulnerability on their website. Later, I contacted their community and informed them that their website had several security vulnerabilities. I explained that these issues could allow someone to modify website data, and I recommended that they fix the bugs.

After a while, the vulnerabilities were resolved, although the community never reached out to me. That was fine, as the website and student data were now secure.๐Ÿ˜ƒ