SQL Injection in rog.asus.com
🔎 Introduction & Background
To get started, I'll give a bit of backstory behind this. I found this bug back in January of 2017 and was one of the first reports I made to a company. I was bored back in January so I decided to hunt for bugs in *.asus.com. After about an hour I came across rog.asus.com and I noticed that it also had a forum on it. It was running vBulletin 4.2.3. I did a bit of research and found that forumrunner, a core module enabled by default, was vulnerable to SQL Injection in this version.
😕 What is ForumRunner?
Forum Runner is a vBulletin, XenForo, myBB, and phpBB forum add-on that allows your users to access your forum at blazing fast speeds by using a native application installed on their mobile phone
How is it vulnerable?
vBulletin's code standards use clean_gpc() and clean_array_gpc() functions to sanitize input data, so PHP superglobal arrays are not accessed directly. I would use the word "sanitize" very loosely here, as this vulnerability has just proven that these sanitizing functions are simply not enough.
So it all comes down to /forumrunner/includes/moderation.php
function do_get_spam_data() {
global $vbulletin, $db, $vbphrase;
$vbulletin->input->clean_array_gpc('r', array(
'threadid' => TYPE_STRING,
'postids' => TYPE_STRING,
));
------ snip ------
} else if ($vbulletin->GPC['postids'] != ") {
$postids = $vbulletin->GPC['postids'];
$posts = $db->query_read_slave("
SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
FROM " . TABLE_PREFIX . "post AS post
LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
WHERE postid IN ($postids)
");So both postids and threadid are filtered as a TYPE_STRING, placed into an array ($vbulletin->GPC), and then added to the database. TYPE_STRING filtered variables are not protected from SQL Injection.
This is makes the forumrunner module vulnerable to both MySQL boolean-based blind and time-based blind injection.
😋 Exploitation
So I checked if ASUS had applied the patch by visiting:
https://rog.asus.com/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=1' and an SQL error was thrown! I threw it into SQLMAP as one does (I suck at manual exploitation of SQL Injection, mainly because I haven't ever gotten past getting some basic info from UNION ALL SELECT), however there was a WAF in place so I couldn't extract any data whatsoever.
I went to censys.io and searched 'Republic of Gamers' and quickly found the backend IP of the server, in hopes that this would bypass the WAF.
I ran:
sqlmap -u "http://103.10.4.162/forum/forumrunner/request.php?d=1&cmd=get_spam_data&postids=1*" --random-agent -threads=10 --level 5 --dbsand it listed out all of the databases on the site! I had successfully bypassed the WAF. I reported it and they patched it within 2 days. Sadly they didn't have any sort of bounty, but it was still fun!
References
- https://enumerated.wordpress.com/2016/07/11/1/
- http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/
Thanks for reading,
Corben Leo