Nov. 14, 2023, 1:13 a.m. |

Packet Storm

This Metasploit module exploits a command injection vulnerability in MagnusBilling application versions 6.x and 7.x that allows remote attackers to run arbitrary commands via an unauthenticated HTTP request. A piece of demonstration code is present in lib/icepay/icepay.php, with a call to an exec(). The parameter to exec() includes the GET parameter democ, which is controlled by the user and not properly sanitised/escaped. After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands. The commands run with the …

application attackers call code command command injection demonstration exploits http injection metasploit parameter php piece request run unauthenticated vulnerability

Security Specialist

@ Protect Democracy | Remote, US

Environmental Compliance Lead

@ EDF Energy | Bristol, GB

IT Consultant Network w/m/d Wireless (WiFi6, Mobilfunk 5G)

@ Computacenter | Berlin, DE, 12099

Senior - Cyber Infrastructure Protection

@ Deloitte | Madrid, España

GRC (Governance, Risk & Compliance) | 4 to 6 Years | Mumbai, Bengaluru & Chennai

@ Capgemini | Bengaluru, MH, IN

Technology Risk & Controls Advisory - Experienced Consultant

@ Wavestone | London, United Kingdom