Exploit for Code Injection in Ispconfig CVE-2023-46818

Name: Exploit for Code Injection in Ispconfig CVE-2023-46818
Rating: 5 (210 reviews)

2025-05-28 | CVSS 7.2

## https://sploitus.com/exploit?id=96F0DA98-7362-55F9-8AD1-ADB94DD26EF5
# CVE-2023-46818 
ISPConfig - PHP Code Injection PoC Exploit (Bash)


### Introduction 

`ISPConfig` versions <= 3.2.11 are vulnerable to an authenticated PHP code injection vulnerability via the `records[]` parameter in the `/admin/language_edit.php` endpoint. A malicious authenticated admin user can exploit this to inject arbitrary PHP code, leading to remote code execution. The vulnerability occurs due to unsanitized handling of language file input used in dynamically generated PHP code.

<br>

### Usage 

```bash
git clone https://github.com/engranaabubakar/CVE-2023-46818.git
cd CVE-2023-46818
chmod +x exploit.sh

./exploit.sh http://$IP admin admin


```

<br>
Note: This exploit requires valid ISPConfig admin credentials and will deploy a command web shell accessible at `/admin/sh.php`. It provides a terminal-like interface for continuous command execution on the target system.
<br><br><br>


### Credits

Researcher: Rana Abu Bakar <br>
Original Advisory: https://karmainsecurity.com/KIS-2023-13 <br>