Git Product home page Git Product logo

cve-2024-4040-ssti-lfi-poc's Introduction

CVE-2024-4040 SSTI & LFI PoC - Exploitation | CrushFTP

This is a proof of concept for a Server Side Template Injection (SSTI) & Local File Inclusion (LFI) vulnerability in CrushFTP.

Features

Taking leverage of Critical Severity Vulnerabilities in CrushFTP servers through Server Side Template Injection (SSTI) & Authentication Bypassing. Elevating this exploit to a Local File Inclusion (LFI)! This PoC exploit serves a purpose in automating the detection of the vulnerability within sFTP servers hosting CrushFTP, as well as the exploitation!

Step Through the Code:

  • Generation of anonymous session tokens
  • Utilising these tokens to perform SSTI and create our own entry-points!
  • Calling our SSTI endpoints and escaping out of their context to request any local resource on a target machine!

After doing a little bit of Google dorking, i found there is currently over 7000 publicly accessible CrushFTP portals live today! ๐Ÿ˜ฌ This CVE was only disclosed 6 days ago, need i say anymore...

Usage

python3 crushed.py -t https://target.com

For Specifying your own LFI path, use -l or --lfi argument:

python3 crushed.py -t https://target.com -l /etc/passwd

Provide your own wordlist to perform LFI with -w or --wordlist. Works with -l option too.

python3 crushed.py -t https://target.com -w /lfiwordlist.txt

Example

image

Cookie Stealing from Authenticated Sessions - Post-LFI

After obtaining the vulnerbale servers sessions.obj file, we are able to extract the session tokens of other users, taking the severity of this vulnerability even higher now with a risk of Account or Server takeover.

image

image

Documentation

This vulnerability is a VFS sandbox escape in the CrushFTP managed file transfer service that allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox

Server-Side Template Injection (SSTI) in CrushFTP allows an attacker to execute arbitrary code on the server by abusing the "zip" function in the WebInterface.

Affecting CrushFTP versions below 10.7.1 and 11.1.0 (as well as legacy 9.x versions)

Shodan Dork:

http.favicon.hash:-1022206565

References

https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis

Disclaimer

This tool is purely for ethical and educational purposes only. Use responsibly.

cve-2024-4040-ssti-lfi-poc's People

Contributors

stuub avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.