POC详情: 29694246716058c21a628d52dc10379b6b3c7b01

来源
https://github.com/brokendreamsclub/CVE-2025-54309
关联漏洞
标题: CrushFTP 安全漏洞 (CVE-2025-54309)
描述:CrushFTP是CrushFTP公司的一款文件传输服务器。 CrushFTP 10.8.5之前版本和11.3.4_23之前版本存在安全漏洞,该漏洞源于AS2验证处理不当,可能导致远程攻击者获取管理员权限。
描述
CrushFTP AS2 Authentication Bypass
介绍
# CVE-2025-54309 CrushFTP Authentication Bypass

## Overview

CVE-2025-54309 is an authentication bypass vulnerability in CrushFTP that allows unauthorized administrative user creation through AS2 header manipulation.

## Technical Details

### Vulnerability Location
- **File**: `crushftp/server/ServerSessionHTTP.java`
- **Method**: `loginCheckHeaderAuth()` (line 2285)
- **Root Cause**: Improper AS2 header validation logic

### Vulnerable Code
```java
} else if (this.headerLookup.containsKey("as2-to".toUpperCase())) {
    if (this.headerLookup.getProperty("as2-to".toUpperCase()).trim().indexOf("-_-") < 0 && !ServerStatus.BG("blank_passwords")) {
        return;  // Authentication bypass occurs here
    }
```

### Exploitation Method
1. Send POST request to `/WebInterface/function/` with empty `AS2-To` header
2. Include `setUserItem` command in request body
3. Server bypasses authentication due to missing `-_-` delimiter in AS2-To header
4. Administrative user gets created without proper authentication

## Affected Versions
- CrushFTP 10.x < 10.8.5
- CrushFTP 11.x < 11.3.4_23

## Shodan query
- `http.server_hash:525710691,-1319113083,2114359341,1401270286,-608770667`
- `http.favicon.hash:-1022206565`
- `"/WebInterface/w3c/p3p.xml"`

## Google dorks
- `intitle:"CrushFTP WebInterface"`
- `inurl:"/WebInterface/login.html"`

## Usage

```bash
python3 cve_2025_54309.py <target_url> [-u username] [-p password] [-v]
```

### Examples
```bash
# Basic exploitation
python3 cve_2025_54309.py http://crushftp.example.com:8080

# Custom credentials
python3 cve_2025_54309.py https://crushftp.example.com -u kali -p kali1

# With login verification
python3 cve_2025_54309.py http://crushftp.example.com -v
```

## Requirements
- Python 3.x
- requests library

## Disclaimer
This tool is for authorized security testing only. Users are responsible for compliance with applicable laws and regulations.
文件快照

 [4.0K]  /data/pocs/29694246716058c21a628d52dc10379b6b3c7b01
├── [5.3K]  cve_2025_54309.py
├── [1.0K]  LICENSE
├── [1.9K]  README.md
└── [5.8K]  TECHNICAL.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。