ASUS Responsible Disclosure – SQL Injection

My CCNA CyberOps scholarship has finally ended which means more time to fool around in the internet! Yey! So recently, I decided to pursue some bug hunting because it has been a while since my last “capture the flag” practice and am already forgetting how to use tools in Kali. This made me look for some popular sites and led me to visit asus.com.

After some information gathering, I came across the domain etrip.asus.com which then forwarded me to a Javascript file etrip.asus.com/eTrip/HO-js.js. Reading the script showed another file with a .jsp extension which had some parameters.

I first visited the link without any parameters as I didn’t really know what values are marked ‘correct’ in the system. After visiting, it just spitted out the source code which made me say “Wow! That shouldn’t happen!”.

Now the thing is, since there’s already a partial source code leakage, we can all see that the parameter “costcategory” held by the variable “idAccount” is not being sanitized properly. If the argument is “” (empty), it will just assign a value of “-1”. The problem is if the value is not empty considering the input should only be a number and not a string.

With these information, injecting SQL can happen and to simply prove it, adding a double quote character throws an error shown below:

Sorry to disappoint you guys but I didn’t dump their database to show the contents. A simple double quote character already proves that dumping was definitely possible. If you want more information on how to do it, just simply visit this page.

A report has been sent to security@asus.com last April 11, 2018 at around 17:22 and they replied the next day, April 12, 2018 at around 17:40.

Unfortunately, they don’t have a bug bounty program yet but it’s good that they have a team that accommodates security issues on their side.

This is basically my first hall of fame so I’ll update this page once it comes out at the end of the month! It actually went out just now which can be seen here! May 8, 2018!

Thanks for visiting my page!

5 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *