CVE-2023-30258
published 2023-06-23CVE-2023-30258: Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.25%
99.8th percentile
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magnussolution | magnusbilling | 6.0.0 – 7.3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mbilling/lib/icepay/icepay.php?democ|3d|"; fast_pattern; startswith; content:"|3b|"; within:100; content:"|3b 23|"; within:500; reference:url,attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258; reference:cve,2023-30258; classtype:attempted-admin; sid:2049247; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2023_11_16, cve CVE_2023_30258, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_02; target:dest_ip;)
- →The vulnerable parameter is `democ` in a GET request to `/mbilling/lib/icepay/icepay.php`. The value is passed unsanitised to PHP's `exec()`. Injection is indicated by a semicolon (`;`, URL-encoded `%3b`) in the parameter value, typically terminated with `#` (`%23`) to comment out trailing content. ↗
- →Exploitation requires no authentication. Look for GET requests to `icepay.php` from unauthenticated sessions (no session cookie / no prior login flow) containing shell metacharacters in the `democ` parameter. ↗
- →Commands execute as the web server process user. Post-exploitation artefacts to hunt for include files written to `/tmp/` (e.g. `/tmp/injected.txt`) and outbound `curl` or `sleep` child processes spawned by the web server. ↗
- →For OOB/blind detection, monitor for DNS/HTTP callbacks from the MagnusBilling server to external hosts triggered by injected `curl` commands. The Nuclei template confirms exploitation via `User-Agent: curl` in the interactsh callback request. ↗
- →Shodan/FOFA fingerprinting: exposed MagnusBilling instances can be identified with `http.html:"magnusbilling"` (Shodan) or `body="magnusbilling"` (FOFA) to scope detection to relevant assets. ↗
- →The Emerging Threats Snort rule (SID 2049247) uses byte-pattern matching: URI must start with `/mbilling/lib/icepay/icepay.php?democ=` (`|3d|`), contain `;` (`|3b|`) within 100 bytes, and contain `;#` (`|3b 23|`) within 500 bytes of that. ↗
- ·Both MagnusBilling 6.x (all versions) and 7.x up to (but not including) the commit that fixes the vulnerability are affected. Version 7.x instances patched with commit `7af21ed620` are not vulnerable. ↗
- ·The vulnerable file is demonstration/PoC code (`lib/icepay/icepay.php`) that should not be present in production deployments. Its presence on an internet-facing server is itself a misconfiguration risk independent of patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4v39-q2jh-wjrw: Command Injection vulnerability in MagnusSolution magnusbilling 6
ghsa_unreviewed·2023-06-23
CVE-2023-30258 [CRITICAL] CWE-77 GHSA-4v39-q2jh-wjrw: Command Injection vulnerability in MagnusSolution magnusbilling 6
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
VulnCheck
magnussolution magnusbilling Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-30258 [CRITICAL] magnussolution magnusbilling Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
magnussolution magnusbilling Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
Affected: magnussolution magnusbilling
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-19&host_type=src&vulnerability=cve-2023-30258; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2023-30258; https://dashboard.shadowserver
Suricata
ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)
suricata·2023-11-16·CVSS 9.8
CVE-2023-30258 [CRITICAL] ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)
ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mbilling/lib/icepay/icepay.php?democ|3d|"; fast_pattern; startswith; content:"|3b|"; within:100; content:"|3b 23|"; within:500; reference:url,attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258; reference:cve,2023-30258; classtype:attempted-admin; sid:2049247; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2023_11_16, cve CVE_2023_30258, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature
Exploit-DB
MagnusSolution magnusbilling 7.3.0 - Command Injection
exploitdb·2025-04-11·CVSS 9.8
CVE-2023-30258 [CRITICAL] MagnusSolution magnusbilling 7.3.0 - Command Injection
MagnusSolution magnusbilling 7.3.0 - Command Injection
---
# Exploit Title: MagnusSolution magnusbilling 7.3.0 - Command Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/magnussolution/magnusbilling7
# Software Link: https://github.com/magnussolution/magnusbilling7
# Version: 7.3.0
# Tested on: Centos
# CVE : CVE-2023-30258
# PoC URL for Command Injection
http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt
Result: This PoC attempts to inject the id command.
[Replace Your Domain Name]
Nuclei
MagnusBilling - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-30258 [CRITICAL] MagnusBilling - Remote Code Execution
MagnusBilling - Remote Code Execution
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
Template:
id: CVE-2023-30258
info:
name: MagnusBilling - Remote Code Execution
author: gy741,mananispiwpiw
severity: critical
description: |
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
impact: |
Unauthenticated attackers can execute arbitrary OS commands on the MagnusBilling server, leading to complete system compromise and potential access to all billing data and customer information.
remediation: |
Upgrade to the latest patched version of MagnusBilling or apply vendor-provide
Metasploit
MagnusBilling application unauthenticated Remote Command Execution.
metasploit
MagnusBilling application unauthenticated Remote Command Execution.
MagnusBilling application unauthenticated Remote Command Execution.
A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request. A piece of demonstration code is present in `lib/icepay/icepay.php`, with a call to an exec(). The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically `www-data` or `asterisk`. At a minimum, this allows an attacker to compromise the billing system and its database. The following MagnusBilling applications are vulnerable: - Magn
No writeups or analysis indexed.
http://packetstormsecurity.com/files/175672/MagnusBilling-Remote-Command-Execution.htmlhttps://eldstal.se/advisories/230327-magnusbilling.htmlhttps://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2023-30258.mdhttps://github.com/magnussolution/magnusbilling7/commit/ccff9f6370f530cc41ef7de2e31d7590a0fdb8c3http://packetstormsecurity.com/files/175672/MagnusBilling-Remote-Command-Execution.htmlhttps://eldstal.se/advisories/230327-magnusbilling.htmlhttps://github.com/magnussolution/magnusbilling7/commit/ccff9f6370f530cc41ef7de2e31d7590a0fdb8c3
2023-06-23
Published
Exploited in the wild