Backdrop CMS 1.22.0 — Unrestricted File Upload (Layouts)
# An Issue is discovered in Backdrop CMS 1.22.0
#We found a vulnerability file upload when we upload the malicious file as a layout on the Install New layout page.
Proof of Concept
First, we log in to the target application with admin privileges.
Then select Structure > Layouts > Install new layouts
And then, we click Manual Installation.
We can upload with zip files.
We can find layout files at the link following.
We download Harris Flexible layout.
Next, We unzip harris_flexible.zip
We proceed to the harris_flexible directory we unzip.
We generate PowerShell reverse shell payload from https://www.revshells.com/
We replace the content of layout — harris-flexible.tpl.php with a reverse shell payload.
After that, we zip harris_flexible directory.
We using nc to listen on port 443
back to the Manual installation popup and upload harris_flexible.zip
Next, we click the INSTALL button.
Finally, we get a shell connection.
Grim The Ripper Team by SOSECURE Thailand