Backdrop CMS 1.22.0 — Unrestricted File Upload (Layouts)

Description

# An Issue is discovered in Backdrop CMS 1.22.0

#We found a vulnerability file upload when we upload the malicious file as a layout on the Install New layout page.

Proof of Concept

First, we log in to the target application with admin privileges.

Then select Structure > Layouts > Install new layouts

And then, we click Manual Installation.

We can upload with zip files.

We can find layout files at the link following.

We download Harris Flexible layout.

Next, We unzip harris_flexible.zip

We proceed to the harris_flexible directory we unzip.

We generate PowerShell reverse shell payload from https://www.revshells.com/

We replace the content of layout — harris-flexible.tpl.php with a reverse shell payload.

After that, we zip harris_flexible directory.

We using nc to listen on port 443

back to the Manual installation popup and upload harris_flexible.zip

Next, we click the INSTALL button.

Finally, we get a shell connection.

Author

Grim The Ripper Team by SOSECURE Thailand

--

--

You get the best out of others when you give the best of yourself

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself