0

A guy I know at college is claiming he can change his grades by gaining access to the database through an SQL inject, and can also gain access to all admin account privileges and records. The portal is accessed through outlook account and he did a pentest to prove it is vulnerable, ive attached the results.

I am new to coding so not sure whether to believe it, is it really possible? from what I believed, the only systems vulnerable to this would be the worst ones, configured by somebody who has never used the database software before, which is extremely unlikely for this college.

Are the pentest results real and should be concerned? Is it worth reporting to warn the college?

pentest results

Fevzi Kartal
  • 338
  • 1
  • 9
Per
  • 11

1 Answers1

3

Let's look at this carefully:

... gaining access to the database through an SQL inject ...
... the only systems vulnerable to this would be the worst ones, configured by somebody who has never used the database software before ...

Perhaps strangely, SQL Injection is not a Database issue, per se.
It's an Application coding issue.

Obviously, it affects databases (hugely) but there is very little you can actually do at the database level to protect against it. At the end of the day, pieces of SQL are given to the Database to run and, if the application "writing" that SQL does so "poorly", then the database is [made] vulnerable.

Obligatory XKCD Reference: Little Bobby Tables

... gain access to all admin account privileges and records.

Now that might be a Database issue - a permissions one.
The Application needs to have access to everything it works with so, having compromised the Application's SQL, they would have access to all of that data.
It's also possible that he might get access to more than that, but only if the security on the database objects themselves (tables, views and such like) has been done badly.

... he did a pentest to prove it is vulnerable ...

Pentests are only advisory. They don't prove that there's an active problem.

I am new to coding so not sure whether to believe it, is it really possible?

Possible? Yes.
Likely? Unknown. Depends on how well the Application was written. Proven? No.

Are the pentest results real ...

Yes.
The software versions identified are quite old and probably ought to be upgraded.

... and [I] should be concerned? Is it worth reporting to warn the college?

Of the pentest and its results? Probably not.
If anything, the college should be carrying out their own and should be well aware of the results and, therefore, their potential Risk.
Old software isn't necessarily "Bad"; it's just had more time for people to "poke holes" in it.

Of the [claimed] exploit to access the system? Absolutely, yes.
You don't say in which jurisdiction you are, but if this involves other peoples' data and you are anywhere that the General Data Protection Regulations (GDPR) apply then this would be a reportable Data Breach. Your college would be legally obliged to report this and the culprit could be facing criminal prosecution.

Phill W.
  • 9,889
  • 1
  • 12
  • 24