Skip to content

CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support

Notifications You must be signed in to change notification settings

Stuub/CVE-2024-4040-SSTI-LFI-PoC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 

Repository files navigation

CVE-2024-4040 SSTI & LFI PoC - Exploitation | CrushFTP

This is a proof of concept for a Server Side Template Injection (SSTI) & Local File Inclusion (LFI) vulnerability in CrushFTP.

Features

Taking leverage of Critical Severity Vulnerabilities in CrushFTP servers through Server Side Template Injection (SSTI) & Authentication Bypassing. Elevating this exploit to a Local File Inclusion (LFI)! This PoC exploit serves a purpose in automating the detection of the vulnerability within sFTP servers hosting CrushFTP, as well as the exploitation!

Step Through the Code:

  • Generation of anonymous session tokens
  • Utilising these tokens to perform SSTI and create our own entry-points!
  • Calling our SSTI endpoints and escaping out of their context to request any local resource on a target machine!

After doing a little bit of Google dorking, i found there is currently over 7000 publicly accessible CrushFTP portals live today! 😬 This CVE was only disclosed 6 days ago, need i say anymore...

Usage

python3 crushed.py -t https://target.com

For Specifying your own LFI path, use -l or --lfi argument:

python3 crushed.py -t https://target.com -l /etc/passwd

Provide your own wordlist to perform LFI with -w or --wordlist. Works with -l option too.

python3 crushed.py -t https://target.com -w /lfiwordlist.txt

Example

image

Cookie Stealing from Authenticated Sessions - Post-LFI

After obtaining the vulnerable servers sessions.obj file, we are able to extract the session tokens of other users, taking the severity of this vulnerability even higher now with a risk of Account or Server takeover.

image

image

Automating the validation of extracted tokens

Once we obtain our tokens from the sessions.obj file, the script will then test the token combinations against the target. Target endpoint is /WebInterface/function?command=getUsername&c2f={current_auth_token}, passing both tokens in the request header.

image

Documentation

This vulnerability is a VFS sandbox escape in the CrushFTP managed file transfer service that allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox

Server-Side Template Injection (SSTI) in CrushFTP allows an attacker to execute arbitrary code on the server by abusing the "zip" function in the WebInterface.

Affecting CrushFTP versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions)

Google Dork:

intitle:"CrushFTP WebInterface" inurl:/WebInterface/login.html

Shodan Dork:

http.favicon.hash:-1022206565

References

https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis

https://ethicalhacking.uk/cve-2024-4040-a-critical-crushftp-server-side-template-injection/#gsc.tab=0

Disclaimer

This tool is purely for ethical and educational purposes only. Use responsibly.