How I Hacked Database Of AU Optronics (Chinese Company) | Full POC

My Introduction just to increase my popularity to be Open-Minded — How I hacked full databases of AUO Optronics

My name is Chirag Artani & I’m the CEO of 3rag, Keepitbro & many more popular websites (that are hidden). The other skills I’ve learned is ethical hacking, so let’s know How & when.

When I was 13 years old, It is about 2012, so I tried to do something with Facebook (using keypad mobile) then I started research on Facebook tips & tricks suddenly I got a website, which was boosting Facebook likes for free (auto liker). So I understand that it’s possible to hack any website no matter that is Facebook or what. Auto liker is not hacking but that’s a big thing kind of data exchanging. Here fact is how I started taking interest into ethical hacking

So let’s start,

Proof of concept for AU Optronics Database Hacking

I’ve signed an agreement with AU Optronics for not sharing exact database, anywhere. So I’m adding here all possible pictures of the POC (Proof Of Concept) step by step.

The vulnerability was SQL Injection, Definition & normal meaning of SQL injection -

SQL Injection is a critical vulnerability for any server, It allow’s us to see all possible databases, their tables & columns with overall details of the server.

Step 1. Scanning Subdomains Of Au Optronics Using Sublist3r

Sublist3r is the free tool for finding subdomains of the server, mostly vulnerabilities are found in subdomains so always focus on subdomains of big websites.

I found 119 subdomains, almost was unavailable or not working.

I found Windows server in this subdomain, so I thought to research on it using very simple google dork with “site: https://gms.auo.com” (sorry I can’t share the exact affected URL)

I got a link which was affected by SQL Injection vulnerability, so I started injecting the databases using SQLmap.

Here is the SQL Injection vulnerability

Now adding %27 or ‘ in the URL

The apostrophe or single quote (‘), is a special character in SQL (Structured Query Language) that specifies the beginning and end of string data for an example: “website.com/content.php/?id=4’” which, if unexpectedly entered into an SQL query, could allow the attacker to inject his own SQL to be interpreted by the server.

Got Error In Database

Mostly SQL error are found in PHP sites because almost PHP based sites using MySql Or MariaDB to host data. But main thing big sites using MS SQL & MY SQL and that are based on Microsoft server known as ASPX.

Enumerating databases using SqlMap

Payload in the URL manually: ‘||(SELECT CHR(100)||CHR(104)||CHR(84)||CHR(90) FROM DUAL WHERE 2781=2781 AND 1822=CTXSYS.DRITHSX.SN(1822,(CHR(113)||CHR(112)||CHR(98)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (1822=1822) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(106)||CHR(120)||CHR(122)||CHR(113))))||’

10 Databases available

I have sign company policies to not public any data so, I can’t share here database names or any other details.

Tables & Columns Of AU Optronics Dump

For an example: tables of SYSTEM (DB)

As you can see 163 tables are available.

Final process columns & then DUMP data.

Here is the dump data:

That’s It!

For this vulnerability I got $300 only (I was expecting $1000 minimum) However It was my first bug bounty, so I’m happy for it.

I just want to tell, try something new every day because it works. I’m learning so many things together like: SEO (search engine optimization) & doing B’com as a private student. Overall it’s a good thing for earn some extra money & more than money it’s teaching us something, Which is probably valuable.

Note: Soon I will share one more POC of a united state government site, once they confirm the vulnerability

Thank You Very Much For Reading The Post, Sorry For My Poor English.