How to Exploit a University WeChat Mini‑Program and Student Information System

This article details step‑by‑step packet‑capture techniques using Fiddler, Burp and Clash, Google‑hacking for credentials, and then demonstrates extracting and abusing sensitive student data from a university WeChat mini‑program and its backend information system, including enumeration, XSS and data modification.

Black & White Path
Black & White Path
Black & White Path
How to Exploit a University WeChat Mini‑Program and Student Information System

Mini‑Program Capture Methods

Three proxy‑based approaches are described for capturing traffic from a WeChat mini‑program.

Fiddler – direct capture (method mentioned but not demonstrated).

Configure the operating system’s proxy (Windows → Network & Internet → Proxy → Manual) with the IP and port of Burp Suite , then start Burp to listen on the same address.

Use Clash for Windows for global proxying. After installing, accept the default configuration, which sets the proxy port to 7890 (modifiable). Enable “Global Proxy” in the Clash UI, then configure Burp to listen on the same IP and port. This allows seamless packet capture of the mini‑program.

Clash configuration
Clash configuration

Information Gathering

Google‑hacking syntax is used to locate Excel files containing student numbers and ID numbers on the university domain, e.g.:

site:xxx.edu.cn "身份证" "学号" filetype:xls

The query returns credential data that can be reused for authentication.

Mini‑Program Exploitation

The university’s public WeChat account is found via WeChat search, leading to the “Smart Apartment” mini‑program. Authentication uses the harvested student number and the last six digits of the ID number.

After logging in, traffic is captured while navigating to the “Accommodation Information” page. The captured request contains a JSON packet with fields not displayed in the UI, revealing sensitive student data.

Iterating the personsn parameter retrieves records for all students from 2018 to 2023. The same technique works on the “Repair Request” endpoint, which returns analogous packets.

Sensitive data packet
Sensitive data packet

Student Information System Exploitation

Access to the backend system uses the same credentials (student number / ID‑last‑six). After login, the “Income Query” page is opened and its request is captured. The request includes a StudentNo parameter set to the logged‑in student number; the response returns a large amount of personal data.

Modifying StudentNo to other values enumerates the full set of student records, exposing payment details and electronic receipts. Changing the URL parameters allows downloading other students’ electronic payment tickets.

The “My” section contains an XSS filter that blocks <a> and <script> tags but permits other tags. Injecting the payload <img src=x onerror=alert(1)> triggers a popup, demonstrating a stored XSS vulnerability. The same endpoint also permits unauthenticated modification of student information.

XSS payload
XSS payload

Testing confirms the ability to extract all students’ sensitive data, enumerate records via parameter manipulation, execute stored XSS, and modify student information without additional authentication.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

WeChat Mini ProgramVulnerability ExploitationBurp SuiteGoogle HackingClashStudent Data Leakage
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.