Skip to content

noraj/fuelcms-rce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 

Repository files navigation

Fuel CMS RCE exploit / PoC

Fuel CMS 1.4 - Remote Code Execution

Exploit / PoC for CVE-2018-16763.

[EDB-49487] [PacketStorm] [WLB-2020110119]

Usage

$ ruby exploit.rb -h
Fuel CMS 1.4 - Remote Code Execution

Usage:
  exploit.rb <url> <cmd>
  exploit.rb -h | --help

Options:
  <url>         Root URL (base path) including HTTP scheme, port and root folder
  <cmd>         The system command to execute
  -h, --help    Show this screen

Examples:
  exploit.rb http://example.org id
  exploit.rb https://example.org:8443/fuelcms 'cat /etc/passwd'

Requirements

Example for BlackArch:

pacman -S ruby-httpclient ruby-docopt

Example using gem:

gem install httpclient docopt

Demo environment

$ docker pull her0ma/fuelcms
$ docker run -d -p 8099:80 -p 3306:3306 her0ma/fuelcms /bin/startup.sh
$ ruby exploit.rb http://127.0.0.1:8099/index.php/ 'ls -lhA'

Reference

This is a better re-write of EDB-ID-47138 (Github):

  • better output (displays only command's output)
  • using arguments (instead of hardcoded values)
  • cleaner & more customizable
  • using ruby (python2 is deprecated)

This exploit was tested with Ruby 2.7.2, 3.0.2.

About EDB-ID-47138:

# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763