NavigateCMS 2.9.1 Remote Code Execution Analysis @Enesdex

Hello friends, 0day of today is NavigateCMS RCE. The protection for file upload isn’t enough and this allows us to upload shell then execute os commands.

There is an upload extension section on the admin panel.

We can upload extensions for NavigateCMS (Votes is default one). But the file will be uploaded must be a zip file. If it doesn’t match, the file won’t be uploaded.

/lib/packages/extension.class.php
/lib/packages/extension.class.php

As you can see we can only upload zip file as mime and file extension. Okey but this zip file must contain 4 files specifically.

extensionname.php, extensionname.plugin, extensionname.html, thumbnail.png

Then we’ll archive this 4 files to a extensionname.zip file

First, download thumbnail, and create extensionname.plugin and extensionname.html (Plugin and HTML file cannot be empty so I modified a default plugins PHP file,). Let’s get to the most important file which is PHP file.

Since uploading a PHP file is expected, there are some protection about the content of PHP file.

Here, we can see the prohibited strings for the PHP file. So If we try to upload a PHP file like this

The website will say “Security error” because when we upload the zip file that contains this PHP file, It’ll be checked whether these prohibited strings exist.

But I found a bypass.

If we write our PHP file like this

When we go to this PHP file after upload, It will create new file that contains system($_GET[‘cmd’]); so this is our shell. Because, as you remember only some strings blocked like ‘system(’ system and one parenthesis but what we do is,

First, we write “system” without parenthesis and remaining one will be a variable then we will combine both so the new file (exploit.php) will contain system($_GET[‘cmd’]) and the website will allow us to upload this file because we didn’t write a string which is prohibited

Now, after created a zip file that contains these 4 files, let’s just upload (my zip file’s name is ext.zip and other files are the same name)

After uploaded If you go to http://IP/plugins/

We can see that ext.zip file is extracted to plugins directory

So I went to /ext directory and clicked the PHP file that we uploaded within the zip file when we execute the code we have written is executed and exploit.php is created

And went to exploit.php?cmd=whoami RCE is confirmed

First thanks for reading my blog-post. If you have any question, my twitter and for ext.zip you can check my Github

https://twitter.com/Enesdex

https://github.com/Enesdex/Exploits

Hacker, Security Researcher, Exploit Developer