A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows
remote attackers to run arbitrary commands via unauthenticated HTTP request.
A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec().
The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
not properly sanitised/escaped.
After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
At a minimum, this allows an attacker to compromise the billing system and its database.
The following MagnusBilling applications are vulnerable:
- MagnusBilling application version 6 (all versions);
- MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;
msf > use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > show targets
...targets...
msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > set TARGET < target-id >
msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > show options
...show and set options...
msf exploit(magnusbilling_unauth_rce_cve_2023_30258) > exploit