# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Exploit Author: V1n1v131r4 # Date: 2021-09-22 # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip # Version: 1.20.0 # Tested On: Kali Linux, Ubuntu 20.04 # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers. # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. # Step 1 # Send this page below to the victim

Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.