# CVE-2025-54309__Enhanced_exploit
This is a enhanced version of the exploit POC originally created by **watchtowrlabs** : https://github.com/watchtowrlabs/watchTowr-vs-CrushFTP-Authentication-Bypass-CVE-2025-54309 (massive shoutout to them!!)
This exploit is meant for research and education purposes and the mentioned vulnerability has already been patched by CrushFTP.
This version the exploit can add an administrative user to the CrushFTP instance along with verifying the existing users as well.
Key Features:
- Race Condition Implementation: Uses high-concurrency threading to exploit the timing window
- XML Payload Generation: Creates proper user creation payloads with admin privileges
- Session Management: Handles CrushAuth and currentAuth cookies
- Verification: Optional login verification to confirm user creation
- HTB Optimized: Designed specifically for penetration testing labs
The script implements the exact attack pattern discovered by Watchtowr's honeypot network and should work against vulnerable CrushFTP instances (versions 10 before 10.8.5 and 11 before 11.3.4_23) in authorized environment.
Important: This script is designed exclusively for authorized penetration testing in controlled environments like HackTheBox labs or authorized instances. The race condition requires multiple threaded attempts to succeed, so you may need to run it several times or adjust the thread count based on your target's responsiveness.
```
# Basic usage
python3 exploit.py https://your-crushftp-target:8443
# Custom username/password
python3 exploit.py https://your-crushftp-target:8443 -u myhtbuser -p MyPassword123
# With verification
python3 exploit.py https://your-crushftp-target:8443 --verify
# Adjust threading for better success rate
python3 exploit.py https://your-crushftp-target:8443 -t 100 -i 200
```
<img width="740" height="690" alt="image" src="https://github.com/user-attachments/assets/fa8d3c76-c26d-4d83-a64f-69f118d6e0ac" />
登录后查看神龙缓存的 POC 文件快照
登录查看