BestHub
Sign in
Information Security 5 min read

How I Exploited Multiple Vulnerabilities in a University System

This article details a step‑by‑step penetration test on a university’s web platform, covering XSS file uploads, JWT tampering for arbitrary login, massive personal data leakage, SQL injection payloads, and the exposure of several AK/SK secrets, all with concrete screenshots and commands.

Black & White Path
Black & White Path
Black & White Path
How I Exploited Multiple Vulnerabilities in a University System

Disclaimer

All vulnerabilities discussed have been patched; the techniques are presented solely for educational purposes.

XSS via unrestricted file upload

The file‑upload endpoint accepted any file type. An attacker first uploaded a one‑line JSP webshell. Assuming the storage (S3) does not parse files, the attacker then uploaded an HTML file containing <script>alert(1)</script>. Accessing the file triggered the alert, demonstrating that some S3 configurations parse HTML and can be abused for cross‑site scripting.

XSS upload demonstration
XSS upload demonstration

Arbitrary user login through JWT manipulation

The application used JWT for authentication without exposing the signing key. After registering a normal account (credentials xxxxx/xxxxx ) and logging in, the attacker captured the JWT, replaced the username claim with admin, and sent the modified token to the /user/info endpoint. The endpoint returned super‑admin information and a new JWT, indicating that the backend did not validate token claims. Substituting the forged token for the original JWT in the login response allowed successful admin login and access to the backend interface.

JWT token tampering
JWT token tampering

Sensitive information leakage

An endpoint accepted a size parameter that controlled the number of returned records. By setting a large value, the attacker retrieved over three thousand records containing usernames, ID numbers, and email addresses. The leaked usernames, combined with the forged JWT, enabled the arbitrary‑user‑login attack.

Sensitive data dump
Sensitive data dump

SQL injection in search fields

Search inputs in the “User Management” and “Personnel Overview” pages were vulnerable. Injecting the payload and if(user()='root@localhost',1,exp(999))='1 caused the database to raise an exception when the condition was false, confirming the injection point. When the condition matched root@localhost, the query succeeded; otherwise the exp(999) expression triggered an error.

SQL injection payload
SQL injection payload

Access key (AK/SK) leakage

Enumeration of configuration files exposed multiple credential pairs. Two distinct AK/SK sets were captured, followed by a secret ID and key for a facial‑recognition service. The leaked files are shown in the following screenshots.

First AK/SK pair
First AK/SK pair
Second AK/SK pair
Second AK/SK pair
Facial‑recognition secret ID and key
Facial‑recognition secret ID and key
SQL InjectionXSSJWTPenetration Testingsecurity researchinformation leakage
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment