Vulnerable USA Colleges

Using the Google dorks listed below, I found 59 vulnerable colleges. I notified them all on 12-3-13. 15 colleges fixed some or all of the vulns; the others did nothing.

There is a lot of raw exposed SQL on the list, which is so insane it's not even on the OWASP Top Ten. You don't have to inject code, the code is just plainly visible in the URL.

Another spectacular vulnerability is 26: Montserrat College of Art, with a password exposed:

LINK -- PASSWORD

Here's an image of the injection, in case they ever fix it:

I notified them several times, and even got answers from someone there, but nothing was fixed.

Someone found that password hash in March, but no one seems to have cracked it yet:

Google search for hash

Summary of Colleges

SQLi Dorks Used

List of dorks: Here

Thanks to @0xAli for a helpful dork suggestion.

Googling for:

site:edu inurl:"union" inurl:"select" filetype:php
site:edu inurl:"union" inurl:"select" filetype:asp
site:edu inurl:"union" inurl:"select" filetype:aspx
site:edu inurl:"select" inurl:"from" filetype:aspx
site:edu inurl:"select" inurl:"from" filetype:asp
site:edu inurl:"select" inurl:"from" filetype:php
inurl:article.asp?ID inurl:edu
inurl:article.aspx?ID inurl:edu
inurl:".php?id=" inurl:edu
inurl:".php?q=" inurl:edu
inurl:".asp?item=" inurl:edu
inurl:".aspx?item=" inurl:edu
inurl:".php?item=" inurl:edu
inurl:".php?num=" inurl:edu
inurl:".php?num=" inurl:edu
inurl:".php?i=" inurl:edu
inurl:".php?studentid=" inurl:edu
inurl:".asp?studentid=" inurl:edu
inurl:".aspx?studentid=" inurl:edu
inurl:".aspx?facultyid=" inurl:edu
inurl:".asp?facultyid=" inurl:edu
inurl:".php?facultyid=" inurl:edu
inurl:".php?staffid=" inurl:edu
inurl:".asp?staffid=" inurl:edu
inurl:".aspx?staffid=" inurl:edu
inurl:".php?patientid=" inurl:edu
inurl:".php?classid=" inurl:edu
inurl:".asp?classid=" inurl:edu
inurl:".aspx?classid=" inurl:edu
inurl:".aspx?teacherid=" inurl:edu
inurl:".asp?teacherid=" inurl:edu
inurl:".php?teacherid=" inurl:edu
inurl:".php?pupilid=" inurl:edu
inurl:".php?sectionid=" inurl:edu
inurl:".asp?sectionid=" inurl:edu
inurl:edu "inurl:aspx?sectionid"

Vulnerable URLs

Many of these involve real live SQL injections, adding code to the page, or revealing data from the databases. I would not dare to experiment with such URLs myself, since creating them would be clearly illegal. However, I didn't create them--I found them this way on Google.

I don't know exactly how Google finds pages like these; perhaps they are posted in forums, or log files.

1. Alcorn State U

LINK SSL error with SQLi behind it
news@alcorn.edu chinton@alcorn.edu security@alcorn.edu

2. Atlantic Cape Community College

LINK
LINK -- Injected Canadian Pharmacy stuff

strecken@atlantic.edu helpdesk@atlantic.edu security@atlantic.edu onlinehelp@atlantic.edu

3. Black Hills State U

LINK
Alumni@BHSU.edu admissions@bhsu.edu Cynthia.Rayso@bhsu.edu

4. Boston U

LINK FIXED, now just "Runtime Error"
security@bu.edu president@bu.edu provost@bu.edu pr@bu.edu

5. Brigham Young

LINK
vernon_heperi@byu.edu security@byu.edu deanofstudents@byu.edu academic_support@byu.edu police@byu.edu

6. Bucks County Community College

LINK -- FIXED 12-4
LINK -- FIXED 12-4
Produces strange huge page, not sure why
stephanie.shanblatt@bucks.edu andrew.lawlor@bucks.edu burakd@bucks.edu

7. California College of the Arts

LINK -- Raw exposed SQL
sbeal@cca.edu info@cca.edu security@cca.edu

8. Cleveland State U

LINK -- Raw exposed SQL

LINK

s.c.connor@csuohio.edu m.artbauer@csuohio.edu security@csuohio.edu

9. Colgate U

LINK
websupport@colgate.edu dmbarnes@colgate.edu security@colgate.edu

11. Eden Theological Seminary

LINK
dkrause@eden.edu dgreenhaw@eden.edu techsupport@eden.edu

12. Emory U

LINK
registr@emory.edu cscsc@emory.edu security@emory.edu news@emory.edu

13. Florida State U

LINK -- Raw exposed SQL
ealgoe@fsu.edu ebarron@fsu.edu emundt@admin.fsu.edu

14. Gordon State College

LINK -- RAW SQL

steve.wrigley@usg.edu Jim.James@usg.edu burns.newsome@usg.edu security@usg.edu

15. Harrisburg U

LINK -- RAW SQL

businessoffice@gordonstate.edu registrar@gordonstate.edu webmaster@gordonstate.edu mburns@gordonstate.edu

16. Harvard

LINK
LINK
LINK
president@harvard.edu abuse@harvard.edu security@harvard.edu ranna_farzan@harvard.edu scott_fields@harvard.edu

17. Indiana State U

LINK -- FIXED 12-4
president@indstate.edu karl.burgher@indstate.edu security@indstate.edu

18. Kalamazoo Valley Community College

LINK -- Raw exposed SQL - FIXED
safety@kvcc.edu it@kvcc.edu security@kvcc.edu

19. Kirkwood Community College

LINK -- Exposed SQL
it@kvcc.edu ask@kirkwood.edu melissa.jensen@kirkwood.edu
Page has beemn deleted! 8:12 pm 12-3-13

20. Lanier Technical College

LINK
rperren@laniertech.edu kminor@laniertech.edu

21. Lousiana State U

LINK
webmaster@lsu.edu alexander@lsu.edu security@lsu.edu

22. Loyola U of New orleans

LINK -- Exposed SQL
helpdesk@loyno.edu admit@loyno.edu pres@loyno.edu security@loyno.edu

23. McKendree U

LINK
inquiry@mckendree.edu jdennis@mckendree.edu security@mckendree.edu

24. Mississippi State U

LINK
president@msstate.edu Nick.Wilson@msstate.edu security@msstate.edu

25. Montclair State U

LINK -- exposed SQL
servicedesk@mail.montclair.edu helpdesk@mail.montclair.edu msupolice@mail.montclair.edu askpresident@mail.montclair.edu security@mail.montclair.edu

26. Montserrat

LINK -- RAW SQL
LINK

LINK -- PASSWORD

Password exposed!
jbroderick@montserrat.edu registrar@montserrat.edu webmaster@montserrat.edu

27. North Central College

LINK Raw SQL -- FIXED
president@noctrl.edu webmaster@noctrl.edu security@noctrl.edu

28. Northern Illinois U

LINK -- Raw SQL

UnivInfo@niu.edu webcommunications@niu.edu security@niu.edu

29. Northwestern U

LINK -- Raw exposed SQL
webmaster@northwestern.edu nu-president@northwestern.edu security@northwestern.edu

30. Notre Dame

LINK Syntax error
LINK
LINK
security@nd.edu engineer@nd.edu provost@nd.edu president@nd.edu

31. Ohio State U

LINK
webmaster@lima.ohio-state.edu rose.9@osu.edu security@osu.edu

32. Oregon State U

LINK -- Exposed SQL
elizabeth.grubb@oregonstate.edu steve.clark@oregonstate.edu annie.athon@oregonstate.edu

33. Pulaski Tech

LINK
lparker@pulaskitech.edu tcarrigan@pulaskitech.edu security@pulaskitech.edu

34. Rochester Institute of Technology

LINK -- Exposed SQL -- FIXED
jhwbgt@rit.edu jahpro@rit.edu refuns@rit.edu hfwast@rit.edu

35. Scripps

LINK -- Exposed SQL
webmaster@scripps.edu abruner@scripps.edu security@scripps.edu

37. St Gregory's U

LINK
info@stgregorys.edu admissions@stgregorys.edu security@stgregorys.edu

38. Stevens Institute of Technology

LINK -- RAW SQL
hoberle@stevens.edu president@stevens.edu diana.colombo@stevens.edu security@stevens.edu

39. Technical College System of Georgia

LINK -- RAW SQL

LINK

bcockfield@tcsg.edu hbates@tcsg.edu gmathis@tcsg.edu

40. Texas A & M U

LINK -- Exposed raw SQL, downloads an XML file
helpdesk@tamu.edu submit@tamu.edu webmaster@tamu.edu

41. U of Alabama

LINK -- FIXED 12-4
president@ua.edu itsd@ua.edu security@ua.edu

42. U of Alaska

LINK -- Raw exposed SQL
nkspink@alaska.edu sylegal@alaska.edu ua.president@alaska.edu

43. U of Arkansas at Little Rock

LINK FIXED
webmaster@asbtdc.ualr.edu itservices-help@ualr.edu kmoliverio@ualr.edu chancellor@ualr.edu security@ualr.edu

44. U of Chicago

LINK -- Raw exposed SQL

LINK -- FIXED

infocenter@uchicago.edu security@uchicago.edu itservices@uchicago.edu i-gould@uchicago.edu

45. U of Connecticut

LINK
president@uconn.edu generalcounsel@uconn.edu david.bauman@uconn.edu

46. U of Georgia

LINK -- Very scary, it invites me to DELETE tables -- FIXED 12-4

LINK
Raw exposed SQL

jbeckley@uga.edu security@uga.edu abuse@uga.edu sebailey@uga.edu uc@uga.edu

47. U of Hawaii

LINK -- Raw exposed SQL

david.lassner@hawaii.edu donnaige@hawaii.edu nlja@hawaii.edu cbaitm@hawaii.edu

48. U of Illinois at Uabana-Champaign

LINK
InfoSource@uillinois.edu hardyt@uillinois.edu security@uillinois.edu

49. U of Maryland

LINK -- Raw exposed SQL

LINK -- Raw exposed SQL
jack@umbc.edu security@umbc.edu hrabowski@umbc.edu sparklin@umbc.edu

50. U of Maryland, Baltimore County

LINK -- Raw exposed SQL -- SERVER DOWN 12-9-13
hrabowski@umbc.edu mcdermot@umbc.edu gleason@umbc.edu security@umbc.edu

51. U of North Alabama

LINK
web@una.edu jrbritten@una.edu security@una.edu

52. U of North Carolina at Chapel Hill

LINK -- That injects a link to a Russian page via SQLi
uncinfo@unc.edu karen_moon@unc.edu chancellor@unc.edu security@unc.edu

53. U of South Carolina

LINK
schlenk@mailbox.sc.edu pastides@sc.edu security@sc.edu

54. U of Virginia

LINK
webmaster@virginia.edu md6e@virginia.edu nan9k@virginia.edu

55. U of Washington

LINK
pres@u.washington.edu provost@u.washington.edu security@u.washington.edu

56. UC Davis

LINK -- Raw exposed SQL
ietweb@ucdavis.edu chancellor@ucdavis.edu security@ucdavis.edu

57. UCLA

LINK -- RAW SQL
media@support.ucla.edu phampton@support.ucla.edu dtate@mednet.ucla.edu wyer@gseis.ucla.edu

59. Vanderbilt U

LINK
chancellor@vanderbilt.edu security@vanderbilt.edu

60. Virginia Tech

LINK -- Raw exposed SQL
LINK
LINK
security@vt.edu lperkins@vt.edu enelson@vt.edu gscales@vt.edu

61. Wabash College

LINK -- Raw exposed SQL
webmaster@wabash.edu computing@wabash.edu president@wabash.edu security@wabash.edu

62. Washington State U

LINK -- Raw SQL

LINK -- Raw exposed SQL

ccraver@co.whatcom.wa.us teward@cob.org PresidentsOffice@wsu.edu

63. Washington U in St. Louis

LINK
admissions@wustl.edu registrar@wustl.edu webteam@wustl.edu


Colleges notified on 12-3-13
Page published 12-22-13 by Sam Bowne