关联漏洞
标题:
FUEL CMS 注入漏洞
(CVE-2018-16763)
描述:FUEL CMS是一款基于Codelgniter框架的内容管理系统(CMS)。 FUEL CMS 1.4.1版本中的pages/select/页面的‘filter’参数和preview/页面的‘data’参数存在注入漏洞。该漏洞源于用户输入构造命令、数据结构或记录的操作过程中,网络系统或产品缺乏对用户输入数据的正确验证,未过滤或未正确过滤掉其中的特殊元素,导致系统或产品产生解析或解释方式错误。
描述
A write up on the THM room Vulnerability Capstone & Exploit script for CVE-2018-16763.
介绍
# THM-Vulnerability_Capstone-CVE-2018-16763
A write up on the THM room Vulnerability Capstone & Exploit script for CVE-2018-16763.
# CREDITS
I do not take credit for the discovery of this vulnerability. Thank you to the following people.
Vulnerability Discovery:
0xd0ff9
TryHackMe Room & Author:
https://tryhackme.com/room/vulnerabilitycapstone
https://tryhackme.com/p/cmnatic
References:
https://github.com/noraj/fuelcms-rce/blob/master/exploit.rb
https://github.com/daylightstudio/FUEL-CMS/issues/478
https://packetstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.html
# Vulnerability
**1. Remote Code Execution**
Fuel CMS is a content management system for web applications. In version 1.4.1, There is an RCE vulnerability that allows arbitrary PHP code to be evaluated/executed via two different pathways. The first path to RCE is a get request to `/fuel/pages/select/` with the filter data parameter. The second pathway is a post request to `/fuel/preview` with the data parameter. I searched the internet for a while and unfortunately, i was not able to come up with source code showing where the vulnerability was. I suck, I know.....lol. We will now continue to the write up!
# The Write-Up
Lets start off with some port scans to get a layout of our attack surface. I like rustscan to get a broad overview of the the target before doing a narrowed and focused scan with nmap.
Looks pretty standard. I believe its gonna be SSH & HTTP on these ports however we will run some more scans with nmap to get a more specific idea.
So we have SSH & HTTP running their standard ports. Lets look into the webpage and see what we got!
The webserver is hosting Fuel CMS version 1.4. This version is vulnerable to command injection via PHP code evaluation. Lets have a look at the CVE from NVD below.
There are multiple exploits available for this software. I have provided an exploit in python however its crap. I call it crap because we will have to manually parse the response from the web request to see our commands output. I was unsuccessful in my attempts to cut out the fat. Lets have a look!
I ran the ls -al command. As we can see, the output from the command is between the HTML div elements.
I wont reveal the flag, however ill give a hint! You can start by looking into the home directory. Thank you for reading this write-up. Have fun!
文件快照
[4.0K] /data/pocs/f1f63c363363be7b6afcca29a5f33c2dde479987
├── [1.5K] rce.py
└── [3.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。