Backdrop CMS 1.22.0 — Unrestricted File Upload (Modules)
Description
# An Issue is discovered in Backdrop CMS 1.22.0
#We found a vulnerability file upload when we upload the malicious file as a module on the Install New Modules page.
Proof of Concept
First, we log in to the target application with admin privileges.
Then select Functionality and select Install new modules.
And then, we click Manual Installation.
We can upload with zip files.
We can find module files at the link following.
https://backdropcms.org/modules
We download Twitter Filters Modules.
Next, We unzip twitter_filters.zip
We proceed to the twitter_filters directory we unzip.
We generate PowerShell reverse shell payload from https://www.revshells.com/
We replace the content of twitter_filters.module with a reverse shell payload.
After that, we zip twitter_filters directory.
We using nc to listen on port 443
back to the Manual installation popup and upload twitter_filters.zip
Next, we click the INSTALL button.
After the installation was completed successfully, we click on Enable newly added modules.
Finally, we get a shell connection.
Author
Grim The Ripper Team by SOSECURE Thailand