Backdrop CMS 1.22.0 — Unrestricted File Upload (Layouts)

Description

# An Issue is discovered in Backdrop CMS 1.22.0

#We found a vulnerability file upload when we upload the malicious file as a layout on the Install New layout page.

Proof of Concept

First, we log in to the target application with admin privileges.

Then select Structure > Layouts > Install new layouts

And then, we click Manual Installation.

We can upload with zip files.

We can find layout files at the link following.

https://backdropcms.org/modules

We download Harris Flexible layout.

Next, We unzip harris_flexible.zip

We proceed to the harris_flexible directory we unzip.

We generate PowerShell reverse shell payload from https://www.revshells.com/

We replace the content of layout — harris-flexible.tpl.php with a reverse shell payload.

After that, we zip harris_flexible directory.

We using nc to listen on port 443

back to the Manual installation popup and upload harris_flexible.zip

Next, we click the INSTALL button.

Finally, we get a shell connection.

Author

Grim The Ripper Team by SOSECURE Thailand