Backdrop CMS 1.22.0 — Unrestricted File Upload (Modules)

Description

# An Issue is discovered in Backdrop CMS 1.22.0

#We found a vulnerability file upload when we upload the malicious file as a module on the Install New Modules page.

Proof of Concept

First, we log in to the target application with admin privileges.

Then select Functionality and select Install new modules.

And then, we click Manual Installation.

We can upload with zip files.

We can find module files at the link following.

https://backdropcms.org/modules

We download Twitter Filters Modules.

Next, We unzip twitter_filters.zip

We proceed to the twitter_filters directory we unzip.

We generate PowerShell reverse shell payload from https://www.revshells.com/

We replace the content of twitter_filters.module with a reverse shell payload.

After that, we zip twitter_filters directory.

We using nc to listen on port 443

back to the Manual installation popup and upload twitter_filters.zip

Next, we click the INSTALL button.

After the installation was completed successfully, we click on Enable newly added modules.

Finally, we get a shell connection.

Author

Grim The Ripper Team by SOSECURE Thailand