CrushFTP Unauthenticated Remote Command Execution Vulnerability
漏洞信息
漏洞名称: CrushFTP Unauthenticated Remote Command Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-54309
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: CrushFTP是一款流行的企业级文件传输解决方案,广泛应用于企业环境中,用于安全地传输和管理文件。该产品因其易用性和强大的功能而受到许多组织的青睐。然而,CrushFTP在其DMZ代理实现中存在一个严重的安全漏洞,允许未经认证的攻击者通过HTTPS POST请求访问管理员界面,绕过认证并直接执行系统命令。这一漏洞的技术根源在于DMZ代理对HTTPS请求的处理中存在不完整的验证。攻击者可以通过向/WebInterface/function/端点发送恶意的XML-RPC请求,触发服务器上的系统命令执行,而无需任何形式的认证。这一缺陷可能导致服务器完全被攻陷,数据被盗,以及攻击者在网络内的横向移动。受影响的版本包括10.7.0之前的所有CrushFTP版本。这一漏洞的严重性在于它允许远程代码执行,且不需要认证,可以被自动化工具利用,对受影响系统构成极高的安全风险。
产品厂商: CrushFTP
产品名称: CrushFTP
影响版本: version < 10.7.0
搜索语法: http.favicon.hash:427298725 “CrushFTP”, http.html:”CrushFTP”, product:”CrushFTP”, ssl:”CrushFTP”, port:443 “CrushFTP”
来源: https://github.com/issamjr/CVE-2025-54309-EXPLOIT
类型: CVE-2025:github search
仓库文件
- LICENSE
- README.md
- exploit.py
- requirements.txt
来源概述
💥 CVE-2025-54309 - CrushFTP Unauthenticated Remote Command Execution Exploit
PoC by Issam Junior
🚨 Vulnerability Overview
- CVE: CVE-2025-54309
- CVSS: 9.8 (Critical)
- Product: CrushFTP
- Impact: Unauthenticated Remote Command Execution (RCE) over HTTPS
CrushFTP, a popular enterprise file transfer solution, suffers from a critical vulnerability in its DMZ proxy implementation. Missing checks allow external attackers to reach the admin interface via HTTPS POST requests, bypassing authentication and directly invoking system commands.
Technical Breakdown
The vulnerability exists due to an incomplete validation in the DMZ proxy’s handling of HTTPS requests. By crafting a malicious XML-RPC request to the /WebInterface/function/ endpoint, attackers can trigger system commands on the server without authentication. This flaw allows full server compromise, data theft, and lateral movement.
Affected Versions:
All CrushFTP versions prior to 10.7.0 (verify with vendor advisories for specifics).
🕵️♂️ Dorks for Hunting CrushFTP Servers
🔎 Shodan Dorks
1 | |
🦊 Ffuf/Faff Dorks (URL Discovery)
1 | |
🕷️ Hunter Dorks (Google, Censys, etc.)
1 | |
⚡ Exploit Features
- Multiple Payloads:
- xml: XML-RPC command injection (default, most reliable).
- cmd_inject: Classic command injection via POST parameters.
- json: JSON-based RCE simulation (if endpoint supports).
- file_upload: Simulated arbitrary file write (upload).
- Recon Mode:
- Fingerprints CrushFTP version.
- Scans for interesting endpoints and methods.
- Output Parsing:
- Extracts and highlights command output from responses.
⚡ Exploit Usage
1. Install Dependencies
1 | |
2. Run the Exploit
1 | |
<target>: IP or domain of the vulnerable CrushFTP server.-c <cmd>: (Optional) Command to execute. Defaults toid.-p <payload>: (Optional) Payload type. Options:xml,cmd_inject,json,file_upload(default:xml).--upload-file <filename>and--upload-data <data>: Used withfile_uploadpayload type.--recon: Run endpoint scan & version fingerprint.
Examples:
XML-RPC RCE (default):
1
python3 exploit.py 192.168.1.100 -c "uname -a"Command Injection via login:
1
python3 exploit.py 192.168.1.100 -c "whoami" -p cmd_injectFile Upload (simulated):
1
python3 exploit.py 192.168.1.100 -p file_upload --upload-file "/tmp/pwned.txt" --upload-data "CrushFTP hacked by Issam Junior"Reconnaissance:
1
python3 exploit.py 192.168.1.100 --recon
3. Output
- Green: Successful exploitation and command output.
- Red: Errors (network issues, non-vulnerable target).
- Yellow: Warnings (unexpected response).
⚠️ Disclaimer
This PoC is for educational purposes only.
Do not use on systems without authorization.
You are solely responsible for your actions.
👤 Author & Socials
- Name: Issam Junior