CVE-2020-9470 PoC — Wing FTP Server 安全漏洞

Source

https://github.com/Al1ex/CVE-2020-9470

Associated Vulnerability

Title:Wing FTP Server 安全漏洞 (CVE-2020-9470)
Description:An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.

Description

Wing FTP Server 6.2.5 - Privilege Escalation

Readme

## What's this
Wing FTP Server 6.2.5 - Privilege Escalation

## Introduction
A weakness in the handling of HTTP sessions within Wing FTP Server allows any local user to escalate privileges to root on Linux, MacOS, and Solaris. Exploitation is contingent on an already-established administrative session. It should be noted that version 6.2.5 was released on Februrary 27th, 2020, however, this bug was identified, reported, and patched on Februrary 28th, 2020. Therefore, some installations of Wing FTP Server showing version 6.2.5 may be vulnerable, while some may not be vulnerable.

## How to use
./CVE-2020-9470.sh

![exploit](image/exploit.png)

File Snapshot


 [4.0K]  /data/pocs/73d351e5f5d5ba382a083a4cdaba85b78de543d1
├── [4.4K]  CVE-2020-9470.sh
├── [4.0K]  image
│   └── [ 58K]  exploit.png
└── [ 660]  README.md

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!