SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote malicious users to bypass authentication via the navigate-user cookie.
This module exploits insufficient sanitization in the database::protect method, of Navigate CMS versions 2.8 and prior, to bypass authentication. The module then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
msf > use exploit/multi/http/navigate_cms_rce msf exploit(navigate_cms_rce) > show targets ...targets... msf exploit(navigate_cms_rce) > set TARGET <target-id> msf exploit(navigate_cms_rce) > show options ...show and set options... msf exploit(navigate_cms_rce) > exploit