module

MagnusBilling application unauthenticated Remote Command Execution.

Try Surface Command
Back to search
Disclosed
2023-06-26
Created
2023-11-04

Description

A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
remote attackers to run arbitrary commands via unauthenticated HTTP request.
A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
not properly sanitised/escaped.
After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
At a minimum, this allows an attacker to compromise the billing system and its database.

The following MagnusBilling applications are vulnerable:
- MagnusBilling application version 6 (all versions);
- MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;

Authors

h00die-gr3y h00die.gr3y@gmail.com
Eldstal

Platform

Linux,PHP,Unix

Architectures

php, cmd, x64, x86

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
    msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > show targets
        ...targets...
    msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > set TARGET < target-id >
    msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > show options
        ...show and set options...
    msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today