CrushFTP Server-Side Template Injection RCE

Repository contains a single Python exploit script (`CVE-2024-4040.py`) plus a README describing CVE-2024-4040 in CrushFTP. The script performs an unauthenticated network attack against a target base URL: it first fetches cookies from the server (expects `currentAuth`), then calls the CrushFTP WebInterface `function` endpoint with `command=zip` and a crafted `path=<INCLUDE>sessions.obj</INCLUDE>` parameter to read the server’s `sessions.obj` file (file read / sandbox escape). It parses the returned content with regexes to extract candidate session identifiers and derives a `CrushAuth` token (`17<11 digits>_<30 alnum>`). For each token, it sends a POST to `/WebInterface/function/` with `command=getUserInfo` and cookies `currentAuth` + `CrushAuth` to verify whether the token is valid; if valid, it prints the associated `<user_name>` and indicates the token can be used to log in (auth bypass). The script then loops every 30 seconds to re-read `sessions.obj` and report newly observed tokens. No backdoor upload or RCE stage is implemented here (README notes this is omitted), so the primary capability is token harvesting + account takeover via session reuse.

This repository provides a Python proof-of-concept exploit for CVE-2024-4040, a critical authentication bypass vulnerability in CrushFTP v10.x and below. The main file, CVE-2024-4040.py, implements the exploit logic: it generates a forged 'CrushAuth' cookie and a spoofed AWS-style 'Authorization' header, then sends a POST request to the CrushFTP WebInterface endpoint to bypass authentication. The exploit requires a valid username (default: 'crushadmin') and the target's base URL. If successful, it retrieves the username from the server, confirming the vulnerability. The repository includes a README with usage instructions, vulnerability details, and example output, as well as an MIT license. The exploit is network-based, targeting the HTTP interface of CrushFTP, and is intended for authorized security testing only.

This repository contains a single Python exploit script (GenCrushSSTIExploit.py) targeting the CrushFTP SSTI vulnerability (CVE-2024-4040). The script establishes a session with a target CrushFTP server, extracts authentication cookies, and exploits a server-side template injection (SSTI) vulnerability via crafted HTTP requests to the /WebInterface/function/ endpoint. The exploit can leak server information, bypass authentication, and extract arbitrary files (such as /etc/passwd) from the server. The script is a proof-of-concept (PoC) and requires the user to specify the target URL and optionally a file to extract. The repository also includes a README with usage instructions, a requirements.txt listing Python dependencies (requests, rich), and an MIT license. The exploit is not part of a framework and is intended for educational and ethical testing purposes only.

This repository contains a proof-of-concept exploit for CVE-2024-4040, a server-side template injection vulnerability in CrushFTP (all versions before 10.7.1 and 11.1.0). The exploit is implemented in Python (exploit.py) and allows unauthenticated remote attackers to read arbitrary files from the server's filesystem by abusing the /WebInterface/function/ endpoint. The script works by first obtaining a session cookie from the target, then sending a crafted GET request with a template injection in the 'path' parameter. The README provides usage instructions and context about the vulnerability. The repository is structured simply, with a single exploit script and a README file. No detection or fake code is present; the exploit is functional and demonstrates the file read capability.

This repository provides a Python proof-of-concept exploit for CVE-2024-4040, a server-side template injection vulnerability in CrushFTP (all versions before 10.7.1 and 11.1.0). The exploit allows unauthenticated remote attackers to read arbitrary files from the server's filesystem by sending crafted POST requests to the /WebInterface/login.html endpoint. The main script, CVE-2024-4040.py, accepts a target (single or list) and a file path to fetch, then attempts to exploit the vulnerability by injecting file paths into the 'paths' parameter. The README provides usage instructions and context about the vulnerability. The exploit is a POC and does not include weaponized payloads for remote code execution, but demonstrates file read capability, which could be extended for further exploitation. No hardcoded IPs or domains are present; the target is user-supplied. The repository is structured simply, with the main exploit script, a README, and a requirements file.

This repository provides a Python proof-of-concept exploit (crushed.py) for CVE-2024-4040, a critical Server Side Template Injection (SSTI) and Local File Inclusion (LFI) vulnerability in CrushFTP servers. The exploit automates the process of obtaining anonymous session tokens, leveraging them to perform SSTI, and escalating to LFI to read arbitrary files from the server's filesystem. It specifically targets endpoints under /WebInterface/function, using crafted requests to extract sensitive files such as /etc/passwd and users/MainUsers/groups.XML. If the sessions.obj file is obtained, the script can extract and validate session tokens, potentially allowing for account or server takeover. The exploit is designed for use against publicly accessible CrushFTP instances running vulnerable versions (below 10.7.1, 11.1.0, or legacy 9.x). The repository consists of a single exploit script and a README.md with detailed usage instructions, attack explanation, and references. The exploit is a POC and does not include weaponized payloads, but demonstrates the full attack chain from initial access to session hijacking.

This repository provides a Python-based exploit for CVE-2024-4040, a file read vulnerability in CrushFTP servers (versions below 10.7.1, 11.1.0, and legacy 9.x). The repository contains three files: a detailed README.md, the main exploit script (exploit.py), and a secondary detection script (xdetection.py). The main exploit script (exploit.py) allows an attacker to: - Read arbitrary files from the target server by exploiting the vulnerable /WebInterface/function/ endpoint. - Extract admin session tokens by downloading and parsing the 'sessions.obj' file from the server. - Check if a target is vulnerable by attempting to read 'users/MainUsers/groups.XML'. The exploit works by sending crafted POST requests to the CrushFTP WebInterface endpoints, leveraging the vulnerability to bypass normal file access controls. The detection script (xdetection.py) is a simplified version that only checks for vulnerability by attempting to read a known file. The exploit is operational, providing real file read and token extraction capabilities, and is not just a proof-of-concept. No hardcoded payloads are used; the attacker specifies the target and file paths. The attack vector is network-based, requiring access to the CrushFTP WebInterface. The repository is well-structured, with clear usage instructions and modular code.

This repository provides a full exploit chain for CVE-2024-4040, a critical vulnerability in CrushFTP that allows unauthenticated remote code execution (RCE). The exploit consists of several components: - `exploit.py`: The main exploit script, written in Python, automates the attack. It checks if the target is vulnerable, retrieves user configuration files (such as user.XML), extracts and decrypts passwords, and can trigger RCE by uploading and leveraging a malicious JAR file. It interacts with the CrushFTP web interface endpoints, particularly `/WebInterface/function/` and `/WebInterface/login.html`. - `decrypt.java`: A Java utility to decrypt passwords extracted from the configuration files, using a hardcoded key and DES decryption. - `NonRegisteringDriver.java`: A modified MySQL JDBC driver that, when loaded by the target's testDB functionality, executes arbitrary system commands provided as a base64-encoded string in the db_user parameter. This is the core of the RCE payload. - `README.md`: Provides detailed instructions (in both Chinese and English) on setting up a vulnerable CrushFTP instance, using the exploit, and the full attack flow, including uploading the malicious JAR and achieving RCE. The exploit chain works by first reading sensitive files to obtain credentials, then uploading a malicious JDBC driver, and finally abusing the testDB feature to execute arbitrary commands. The repository is operational and provides all necessary components for a successful attack, including code for both exploitation and post-exploitation (password decryption). The main attack vector is network-based, targeting the CrushFTP web interface. Several fingerprintable endpoints and file paths are used throughout the attack.