CVE-2018-17553 PoC — Naviwebs Navigate CMS 安全漏洞

Source

https://github.com/MidwintersTomb/CVE-2018-17553

Associated Vulnerability

Title:Naviwebs Navigate CMS 安全漏洞 (CVE-2018-17553)
Description:An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

Description

CVE-2018-17553 PoC

Readme

# CVE-2018-17553
CVE-2018-17553 PoC (Navigate CMS version 2.8 and prior)

This proof of concept was put together when working on the Black Pearl box from TCM.  I couldn't find anyone that put out a PoC other than just using Metasploit.  As I'm avoiding Metasploit in my hacking journey to then go back and do everything all over again with it, I whipped this together quickly for anyone else in the same boat.

This PoC assumes that you've already manually exploited CVE-2018-17552 to gain access (or have gained access in some other fashion).

I currently do not have the script performing any validation of your input or error checking of the results spit back out by cURL.  It's up to you to understand what you're doing and to put in a modicum of work if it fails.

Obviously, this requires that you have cURL installed on whatever machine you run this from.

The original intended use was to load a PHP webshell, but realistically, you can upload any file that will then become a PHP page.

File Snapshot


 [4.0K]  /data/pocs/e60fa991602f50d9db8b233e1071395a92d31e6b
├── [ 34K]  LICENSE
├── [1.7K]  poc.sh
└── [ 995]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!