CrushFTP AS2 Authentication Bypass# CVE-2025-54309 CrushFTP Authentication Bypass
## Overview
CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP that allows unauthorized administrative user creation through AS2 header manipulation.
## Technical Details
### Vulnerability Location
- **File**: `crushftp/server/ServerSessionHTTP.java`
- **Method**: `loginCheckHeaderAuth()` (line 2285)
- **Root Cause**: Improper AS2 header validation logic
### Vulnerable Code
```java
} else if (this.headerLookup.containsKey("as2-to".toUpperCase())) {
if (this.headerLookup.getProperty("as2-to".toUpperCase()).trim().indexOf("-_-") < 0 && !ServerStatus.BG("blank_passwords")) {
return; // Authentication bypass occurs here
}
```
### Exploitation Method
1. Send POST request to `/WebInterface/function/` with empty `AS2-To` header
2. Include `setUserItem` command in request body
3. Server bypasses authentication due to missing `-_-` delimiter in AS2-To header
4. Administrative user gets created without proper authentication
## Affected Versions
- CrushFTP 10.x < 10.8.5
- CrushFTP 11.x < 11.3.4_23
## Shodan query
- `http.server_hash:525710691,-1319113083,2114359341,1401270286,-608770667`
- `http.favicon.hash:-1022206565`
- `"/WebInterface/w3c/p3p.xml"`
## Google dorks
- `intitle:"CrushFTP WebInterface"`
- `inurl:"/WebInterface/login.html"`
## Usage
```bash
python3 cve_2025_54309.py <target_url> [-u username] [-p password] [-v]
```
### Examples
```bash
# Basic exploitation
python3 cve_2025_54309.py http://crushftp.example.com:8080
# Custom credentials
python3 cve_2025_54309.py https://crushftp.example.com -u kali -p kali1
# With login verification
python3 cve_2025_54309.py http://crushftp.example.com -v
```
## Requirements
- Python 3.x
- requests library
## Disclaimer
This tool is for authorized security testing only. Users are responsible for compliance with applicable laws and regulations.
登录后查看神龙缓存的 POC 文件快照
登录查看