Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4040 PoC — CrushFTP 代码注入漏洞

Source
https://github.com/Mufti22/CVE-2024-4040
Associated Vulnerability
Title:CrushFTP 代码注入漏洞 (CVE-2024-4040)
Description:CrushFTP是一款文件传输服务器。 CrushFTP 10.7.1 和 11.1.0 之前版本存在安全漏洞,该漏洞源于允许低权限的远程攻击者从 VFS 沙箱之外的文件系统读取文件。
Description
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Readme
# CVE-2024-4040
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
Usage

```
python poc -u https://example.com -p /path/to/file.txt
```
File Snapshot

 [4.0K]  /data/pocs/ab9ae6f3b6c7aea866c3262b69ac0ac5da34308f
├── [1.8K]  poc.py
└── [ 407]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.