Vulnerability & Exploit Database

Back to search

Invision IP.Board unserialize() PHP Code Execution

This module exploits a php unserialize() vulnerability in Invision IP.Board <= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • EgiX
  • juan vazquez <juan.vazquez [at]>
  • sinn3r <sinn3r [at]>



  • Invision IP.Board 3.3.4


  • php


  • php



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/webapp/invision_pboard_unserialize_exec msf exploit(invision_pboard_unserialize_exec) > show targets ...targets... msf exploit(invision_pboard_unserialize_exec) > set TARGET <target-id> msf exploit(invision_pboard_unserialize_exec) > show options and set options... msf exploit(invision_pboard_unserialize_exec) > exploit