Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161

Name: Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161
Rating: 5 (130 reviews)
2025-05-23 | CVSS 9.8
## https://sploitus.com/exploit?id=7414EEAF-0E0D-57B5-B2D9-DF115E1A0DF8
# CVE-2025-31161 - CrushFTP User Creation Authentication Bypass Exploit

![CrushFTP Logo](https://www.crushftp.com/assets/img/logo/logo.png)

## 📌 Description

This Python exploit targets **CrushFTP** servers vulnerable to **CVE-2025-31161**. The vulnerability allows **unauthenticated user account creation** by sending a crafted XML payload to the WebInterface, potentially resulting in full server compromise.

---

## ⚠️ Disclaimer

> **This tool is intended for educational and authorized security testing only.**  
> Unauthorized use against systems you do not own or have explicit permission to test is **illegal** and unethical.

---

## 🧰 Requirements

- Python 3
- pip3
- Python modules:
  - `requests`
  - `colorama`

### ✅ Install Python3 and pip3

**Debian/Ubuntu:**

```bash
sudo apt update
sudo apt install python3 python3-pip -y
````

**CentOS/RHEL:**

```bash
sudo yum install python3 python3-pip -y
```

**macOS (with Homebrew):**

```bash
brew install python3
```

### ✅ Install Python dependencies

```bash
pip3 install requests colorama
```

---

## 🔧 Usage

```bash
python3 CVE-2025-31161.py --target_host <TARGET_IP> [--port <PORT>] [--target_user <ADMIN>] [--new_user <USERNAME>] [--password <PASSWORD>]
```

### 🔍 Example

```bash
python3 CVE-2025-31161.py --target_host 192.168.1.100 --new_user backdoor --password P@ssw0rd!
```

---

## 🧪 Command-Line Options

| Argument        | Description                           | Default Value               |
| --------------- | ------------------------------------- | --------------------------- |
| `--target_host` | **(Required)** IP or domain of target | —                           |
| `--port`        | Port of CrushFTP WebInterface         | `8080`                      |
| `--target_user` | Admin username (used in payload)      | `crushadmin`                |
| `--new_user`    | Username for new unauthorized account | `AuthBypassAccount`         |
| `--password`    | Password for the new user             | `CorrectHorseBatteryStaple` |

---

## 🖥️ Sample Output

```
[+] Preparing Payloads
  [-] Warming up the target...
  [-] Target is up and running
[+] Sending Account Create Request
  [!] User created successfully!

[+] Exploit Complete! You can now login with:
   [*] Username: AuthBypassAccount
   [*] Password: CorrectHorseBatteryStaple
```

---

## 👨‍💻 Author

**Gaurav Bhattacharjee** (`G4UR4V007`)

---

## 📄 License

This project is licensed under the [MIT License](https://github.com/0xgh057r3c0n/CVE-2025-31161/blob/main/LICENSE).
---