Wing FTP Server Remote Command Execution Vulnerability
漏洞信息
漏洞名称: Wing FTP Server Remote Command Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-47812
漏洞类型: 命令执行
漏洞等级: 高危
漏洞描述: Wing FTP Server是一款广泛使用的FTP服务器软件,支持多种操作系统,常用于企业文件传输和共享服务。由于其易用性和功能丰富,被许多组织用于日常的文件管理任务。此次发现的远程命令执行(RCE)漏洞(CVE-2025-47812)允许攻击者通过认证过程中的username参数注入并执行任意Lua-based系统命令,从而实现完全的远程代码执行。
该漏洞的技术根源在于Wing FTP Server在处理用户认证请求时,未能对username参数进行充分的输入验证和过滤,导致攻击者可以构造恶意的用户名参数,注入并执行任意命令。这种类型的漏洞通常由于开发过程中对用户输入的处理不当,未能实施严格的安全措施所致。
利用此漏洞,攻击者可以在未授权的情况下远程执行任意命令,可能导致服务器被完全控制,敏感数据泄露,服务中断等严重后果。由于漏洞利用不需要复杂的交互,且可以通过自动化工具批量攻击,因此对使用受影响版本Wing FTP Server的用户构成了严重的安全威胁。建议所有用户立即检查并更新到最新版本,以避免潜在的安全风险。
产品厂商: Wing FTP Server
产品名称: Wing FTP Server
来源: https://github.com/ill-deed/WingFTP-CVE-2025-47812-illdeed
类型: CVE-2025:github search
仓库文件
- LICENSE
- README.md
来源概述
CVE-2025-47812 - Wing FTP Server RCE Exploit
This repository provides a proof-of-concept exploit for CVE-2025-47812, a remote command execution (RCE) vulnerability in Wing FTP Server. An attacker can inject and execute arbitrary Lua-based system commands by abusing the username parameter during authentication, resulting in full remote code execution.
📌 Exploit Features
- 🔧 Remote execution of custom shell commands
- 🧬 Multiple built-in reverse shell payloads (bash, Python, netcat, etc.)
- 🪪 Automatic UID extraction from Set-Cookie
- 📦 Logs successful UIDs to
found_uids.txt - 🧪 Dry-run mode (no actual requests sent — test your input/output logic safely)
- 🔁 Retry logic on network failure
- 🧹 Cleaner payload formatting and readable output
- ✅ Input validation for IPs, ports, and URLs
- ⚙️ Command-line argument support for automated workflows
💻 Usage
Execute a simple shell command:
1 | |
Trigger a reverse shell:
1 | |
Dry-run mode (no requests will be sent):
1 | |
🔄 Changes Made to the Original Exploit
| Feature/Improvement | Description |
|---|---|
| ✅ Argument Parsing | Added argparse CLI support for non-interactive mode |
| 🔐 Input Validation | Ensures valid URL/IP/port before attempting exploit |
| 📦 Header Refactoring | Extracted HTTP headers into a reusable function for consistency |
| 📄 UID Logging | Saves successful UID tokens to found_uids.txt |
| 🧪 Dry-Run Mode | Allows safe testing without sending requests (--dry-run) |
| 🕒 Timeout + Retries | Adds request timeout and automatic retry attempts on failure |
| 🧼 Payload Readability | Reformatted the Lua injection string for clarity and maintenance |
| 📊 Structured Output | Wrapped server responses and payload info with delimiters for easy reading |
| ⚠️ Status Code Checks | Warns user if the target returns unexpected HTTP status codes |
| 📝 Logging System | Replaces print() with Python logging module for better verbosity control |
⚠️ Disclaimer
This project is intended for educational and authorized security testing only.
Do not use this tool against systems you do not own or have explicit permission to test.