FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Fuel CMS version 141 remote code execution exploit Original discovery of remote code execution in this version is attributed to 0xd0ff9 in July of 2019 ...
Vulnerability Capstone
Notes on the CTF
nmap
Starting Nmap 793 ( nmaporg ) at 2023-07-21 19:07 UTC
Nmap scan report for ip-10-10-163-53eu-west-1computeinternal (101016353)
Host is up (000043s latency)
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 82p1 Ubuntu 4ubuntu03 (Ubuntu Linux; protocol 20)
| ssh-host
Hi there 👋
My name is Martín, aka n3m1sys on Internet I'm a cybersecurity consultant and ethical hacker
What do I do?
I do not program very frequently Sometimes I develop exploit scripts, and simple programs to automate things
List of exploits I developed
githubcom/n3m1sys/CVE-2023-22809-sudoedit-privesc
githubcom/n3m1sys/CVE-2018-16763-
Fuel CMS 141 - Remote Code Execution
FUEL CMS 141 allows PHP Code Evaluation via the pages/select/ filter
parameter or the preview/ data parameter This can lead to Pre-Auth Remote
Code Execution
Install
git clone githubcom/Trushal2004/CVE-2018-16763git
cd CVE-2018-16763/
python3 -m pip install -r requirementstxt
chmod +x exploitpy
/exploitpy
IgniteCTF
A beginner Friendly CTF Ignite Hosted on TryHackme created by DarkStar7471 Which focus on Enumeration and Privilege escalation and Divided it into 2 tasks user Flag and root Flag
User Flag
Let's boot up the machine and start simple Nmap Scan
nmap -Pn -A -vv -sV -sC -oN normalScan $IP
and we found out port 80 HTTP web serv
This is an updated version of the CVE-2018-16763 for fuelCMS 1.4.1
CVE-2018-16763-exploit
This is an updated version of the CVE-2018-16763 for fuelCMS 141
The script bases itself on the one from wwwexploit-dbcom/exploits/47138
The script is updated for usage with Python 3
CVE-2018-16763
FuelCMS 141 Remote Code Execution Vulnerability
This is a port to Python 3 of the vulnerability at wwwexploit-dbcom/exploits/47138, created by 0xd0ff9
To run de exploit, just modify the url variable in the code with the target url you want to attack, and add the proxies you are behind to the proxies list
This exploit doesn't require any kind of
CVE-2018-16763
FuelCMS 141 Remote Code Execution Vulnerability
This is a port to Python 3 of the vulnerability at wwwexploit-dbcom/exploits/47138, created by 0xd0ff9
To run de exploit, just modify the url variable in the code with the target url you want to attack, and add the proxies you are behind to the proxies list
This exploit doesn't require any kind of
Exploit to trigger RCE for CVE-2018-16763 on FuelCMS <= 1.4.1 and interactive shell.
CVE-2018-16763 - FuelCMS <= 141 RCE
Exploit to trigger RCE for CVE-2018-16763 on FuelCMS <= 141 and interactive shell
Features
Automatically uploads a php webshell API in FuelCMS using CVE-2018-16763
Execute system commands via an API with ?action=exec
Download files from the remote system to your attacking machine with ?a
A write up on the THM room Vulnerability Capstone & Exploit script for CVE-2018-16763.
THM-Vulnerability_Capstone-CVE-2018-16763
A write up on the THM room Vulnerability Capstone &amp; Exploit script for CVE-2018-16763
CREDITS
I do not take credit for the discovery of this vulnerability Thank you to the following people
Vulnerability Discovery:
0xd0ff9
TryHackMe Room & Author:
tryhackmecom/room/vulnerabilitycapstone
tryhackmec
Ignite Write-up
I started off this CTF by doing some basic enumeration scans
Port Scan:
I performed the following port scan:
sudo nmap -vv -sS -sV -sC -oN nmap_out 101062131
I got only 1 port from the scan:
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2418 ((Ubuntu))
Fuel CMS 141 - Remote Code Execution
FUEL CMS 141 allows PHP Code Evaluation via the pages/select/ filter
parameter or the preview/ data parameter This can lead to Pre-Auth Remote
Code Execution
Install
git clone githubcom/Trushal2004/CVE-2018-16763git
cd CVE-2018-16763/
python3 -m pip install -r requirementstxt
chmod +x exploitpy
/exploitpy
Hi there 👋
My name is Martín, aka n3m1sys on Internet I'm a cybersecurity consultant and ethical hacker
What do I do?
I do not program very frequently Sometimes I develop exploit scripts, and simple programs to automate things
List of exploits I developed
githubcom/n3m1sys/CVE-2023-22809-sudoedit-privesc
githubcom/n3m1sys/CVE-2018-16763-