Backdrop CMS 1.22.0 — Unrestricted File Upload (Layouts)

3 min readSep 28, 2022



# An Issue is discovered in Backdrop CMS 1.22.0

#We found a vulnerability file upload when we upload the malicious file as a layout on the Install New layout page.

Proof of Concept

First, we log in to the target application with admin privileges.

Then select Structure > Layouts > Install new layouts

And then, we click Manual Installation.

We can upload with zip files.

We can find layout files at the link following.

We download Harris Flexible layout.

Next, We unzip

We proceed to the harris_flexible directory we unzip.

We generate PowerShell reverse shell payload from

We replace the content of layout — harris-flexible.tpl.php with a reverse shell payload.

After that, we zip harris_flexible directory.

We using nc to listen on port 443

back to the Manual installation popup and upload

Next, we click the INSTALL button.

Finally, we get a shell connection.


Grim The Ripper Team by SOSECURE Thailand




You get the best out of others when you give the best of yourself