CVE-2018-16763 PoC — FUEL CMS 注入漏洞

Source

https://github.com/wizardy0ga/THM-Vulnerability_Capstone-CVE-2018-16763

Associated Vulnerability

Title:FUEL CMS 注入漏洞 (CVE-2018-16763)
Description:FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

Description

A write up on the THM room Vulnerability Capstone & Exploit script for CVE-2018-16763.

Readme

# THM-Vulnerability_Capstone-CVE-2018-16763
A write up on the THM room Vulnerability Capstone &amp;amp; Exploit script for CVE-2018-16763.
# CREDITS

I do not take credit for the discovery of this vulnerability. Thank you to the following people.  

Vulnerability Discovery:  
0xd0ff9  

TryHackMe Room & Author:  
https://tryhackme.com/room/vulnerabilitycapstone  
https://tryhackme.com/p/cmnatic  

References:  
https://github.com/noraj/fuelcms-rce/blob/master/exploit.rb  
https://github.com/daylightstudio/FUEL-CMS/issues/478  
https://packetstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.html  


# Vulnerability

**1. Remote Code Execution**

Fuel CMS is a content management system for web applications. In version 1.4.1, There is an RCE vulnerability that allows arbitrary PHP code to be evaluated/executed via two different pathways. The first path to RCE is a get request to `/fuel/pages/select/` with the filter data parameter. The second pathway is a post request to `/fuel/preview` with the data parameter. I searched the internet for a while and unfortunately, i was not able to come up with source code showing where the vulnerability was. I suck, I know.....lol. We will now continue to the write up!

# The Write-Up
Lets start off with some port scans to get a layout of our attack surface. I like rustscan to get a broad overview of the the target before doing a narrowed and focused scan with nmap.

![image](https://user-images.githubusercontent.com/90923369/142747191-3d5459a3-da37-4554-834e-c4cabd8b6c92.png)

Looks pretty standard. I believe its gonna be SSH & HTTP on these ports however we will run some more scans with nmap to get a more specific idea.

![image](https://user-images.githubusercontent.com/90923369/142747314-49613988-4460-44ab-98d0-6b6fc3dc0f94.png)

So we have SSH & HTTP running their standard ports. Lets look into the webpage and see what we got!

![image](https://user-images.githubusercontent.com/90923369/142747387-0c31198e-8407-43a2-9399-5542d6babf8c.png)

The webserver is hosting Fuel CMS version 1.4. This version is vulnerable to command injection via PHP code evaluation. Lets have a look at the CVE from NVD below. 

![image](https://user-images.githubusercontent.com/90923369/142747521-0aa91578-c49e-4e5c-96af-c877cdaea8e6.png)

There are multiple exploits available for this software. I have provided an exploit in python however its crap. I call it crap because we will have to manually parse the response from the web request to see our commands output. I was unsuccessful in my attempts to cut out the fat. Lets have a look!

![image](https://user-images.githubusercontent.com/90923369/142747646-25830884-b264-4757-8ef5-a9cd1f6f0cfc.png)

I ran the ls -al command. As we can see, the output from the command is between the HTML div elements. 

![image](https://user-images.githubusercontent.com/90923369/142747741-51fa997d-6e41-4dd1-bbb5-fe5ef9ac3f86.png)

I wont reveal the flag, however ill give a hint! You can start by looking into the home directory. Thank you for reading this write-up. Have fun!

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!