SQL injection in harvard subdomain

Hi. In this writeup, i will show you a sqli that i found in harvard and also, a xss as a bonus

While looking through the subdomains of harvard, i found this one interesting subdomain https://schedule.med.harvard.edu/ . I fuzzed the directory using ffuf and found this one interesting endpoint availability.php

Visiting that endpoint only gave me this.

So i fuzzed the parameters using arjun and found an interesting parameter called users. I tried it again with the users parameter and saw this

This is the same error message as before. So i guessed i only have to provide a year parameter. I did that and it worked.

Again, its the same as before, i provided a month parameter and it worked.

It worked again, but now, its asking for a day parameter, i gave it and it showed me this

We can see that our input in users parameter is reflected so i tried to get an xss. And it worked

So we have an xss. I quickly reported it and tried testing the other parameters. I tried adding ‘ in the day parameter and it gave me an sql error.

So, i have an sqli injection here. Since i suck at sql injection, i just let sqlmap do the job for me and sqlmap worked.

I dumped the tables. I didnt go any further anymore and reported it to them.

The sqli got accepted but the xss does not. Apparently, harvard dont accept xss which sucks since i reported alot of xss to them

This is now fixed so i decided to publish it. Visiting the subdomain will show this

And visiting the endpoint https://schedule.med.harvard.edu/availability.php will throw a 404 error.

Thats the end of the writeup, thanks for reading.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How you can reduce the time taken by updates in Elasticsearch from 6 hours to 34 mins

CSS : Positioning The Content.

Why your IT strategy is probably not worth the paper it’s printed on and how you can improve it…

Kotlin for Java and Android Developers — Part 2

I Designed, Built, and Launched an MVP Product in 5 Days

Apple May Launch A More-Capable M1X Chip

CanHap501 — Hapstrument — iteration 1

A Walkthrough for Web Scraping (Part 1)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brandon Roldan

Brandon Roldan

More from Medium

Hunting for Bugs in Shopping/Billing Feature.

My write-up in hacking IBM’s administration panel and getting SQLi on it

Extreme Hacking Mindset

Open Redirection - QR Code Magic