Wing FTP Server Null Byte and Lua Injection RCE

This repository is a small standalone Python exploit for CVE-2025-47812 affecting Wing FTP Server <= 7.4.3. The repo contains only three files: a MIT LICENSE, a README with usage guidance and vulnerability background, and a single executable script `exploit.py`. The code is not part of a larger exploitation framework. The exploit targets a flaw in Wing FTP's authentication/session handling where the `username` is truncated at a NULL byte for authentication checks but the full unsanitized value is written into a Lua session file. The script abuses this by sending a crafted POST to `loginok.html` with a username like `anonymous%00]]<lua>--`, causing attacker-controlled Lua to be written into the session. It then extracts the returned `UID` cookie and performs a GET to `dir.html`, which causes the server to load and execute the poisoned Lua session file. Core capabilities implemented in the script: - `check`: runs `id` remotely and determines likely vulnerability based on returned output. - `exec`: executes an arbitrary shell command via Lua `io.popen`, capturing stdout and stderr. - `detached`: executes an arbitrary command in the background using `setsid`, `nohup`, and `sh -c`, with output redirected to `/dev/null`. - `shell`: launches a bash reverse shell to an attacker-supplied host and port using `/dev/tcp/<lhost>/<lport>`. The exploit uses Python `requests.Session`, disables TLS verification warnings, sets browser-like headers, and manages cookies automatically. Output from blocking commands is delimited with `===START===` and `===END===` markers for extraction from the HTTP response body. The implementation is operational rather than a bare PoC because it includes multiple execution modes and a usable reverse-shell delivery path, but payload customization is still manual and not framework-driven. Fingerprintable target-side endpoints are primarily the Wing FTP web paths `loginok.html` and `dir.html`, with the README documenting common service exposure on ports 5466/5467. The exploit also relies on the `UID` session cookie and sets `client_lang=english`. Example callback infrastructure in the README includes IP `10.10.14.5` and port `4444`, but these are illustrative rather than hardcoded C2 values.

Small standalone exploit repository targeting Wing FTP Server 7.4.3. The repository contains a Makefile, a minimal README, a C program, and a text file with the actual malicious HTTP POST payload. The C program in exploit.c is not the full RCE exploit by itself; it simply opens a TCP socket to a user-supplied IPv4 address on port 80 and sends a basic HTTP GET request for /login.html with Host: ftp.wingdata.htb, then prints the response. The real exploit logic is documented in payload.txt, which contains a crafted POST request to /loginok.html. That request abuses the login parameters password and password_val by injecting Lua code ending in os.execute('calc.exe'), indicating unauthenticated command execution through the web login handler. Overall, the repository appears to be a proof-of-concept/operational exploit package where exploit.c can be used to interact with the target web service, while payload.txt shows the exact HTTP request needed to trigger the vulnerability. No framework usage is present, and there are no hardcoded external C2 endpoints beyond the target host header/domain and HTTP paths.

This repository is a small standalone exploit project containing two files: a README with vulnerability background and usage examples, and a single Python script (exploit.py) that implements the exploit logic. It targets CVE-2025-47812 in Wing FTP Server versions up to 7.4.3, an unauthenticated RCE caused by NULL-byte truncation in username handling combined with unsafe Lua session file execution. The exploit script is a CLI tool built in Python using requests, urllib3, argparse, logging, and ThreadPoolExecutor. Its main capabilities are: validating target URLs; constructing a malicious POST body for /loginok.html; injecting Lua code after a %00 in the username field; obtaining and reusing the returned session/UID cookie; requesting /dir.html to trigger execution of the injected Lua; reading command output from the HTTP response; and reporting whether the target is vulnerable. By default it runs a benign marker command ('echo CVE-2025-47812-VULN') for verification, but it can also execute arbitrary attacker-supplied commands via -c. Operationally, the repository supports both single-target exploitation and multi-target scanning from a file. Additional features include configurable thread count, timeout, retry/backoff behavior, optional SSL verification disablement, verbose logging, and writing vulnerable targets to an output file. The payload is not just a detector: it performs actual command execution through Lua's io.popen(), making this a real exploit rather than a pure detection script. The overall purpose of the repository is to provide an unauthenticated web-based RCE proof-of-concept and scanner for vulnerable Wing FTP Server deployments.

Repository contains a single Python exploit script (CVE-2025-47812.py) and a README describing a critical RCE in Wing FTP Server (< 7.4.4). The exploit is a network-based, interactive CLI tool that targets the Wing FTP Server web interface. Core technique: it crafts a malicious username value containing a URL-encoded null byte (%00) followed by injected Lua code. The injected Lua uses io.popen("<command>") to execute an OS command, reads all output, and prints it. The script POSTs this payload to /loginok.html and then extracts a UID value from the Set-Cookie header (regex UID=([a-f0-9]+)). It then reuses that UID as a Cookie header to POST to /dir.html, which triggers processing of the session and returns the printed command output in the HTTP response body. Capabilities: - Arbitrary command execution (user-supplied command; default whoami). - Reverse shell mode: iterates through several common one-liners (php, bash /dev/tcp, python3 socket, netcat -e, mkfifo+nc) to obtain an interactive shell back to attacker-specified IP:port. Structure: - get_uid_cookie(): sends the injection to /loginok.html and harvests UID cookie. - post_to_dir(): sends POST to /dir.html with Cookie: UID=... and prints response. - main(): interactive prompts for target URL, username, and either command execution or reverse shell attempts. No evidence of being part of a larger framework (standalone script).

Repository contains a single Python exploit script (CVE-2025-47812.py) plus README, LICENSE, and requirements.txt. The script targets Wing FTP Server <= 7.4.3 and implements an unauthenticated network RCE by injecting Lua code into crafted login parameters (notably using a null byte %00 and newline encoding %0d) to execute arbitrary OS commands via Lua io.popen(), then prints and captures command output. It supports single-target exploitation and multi-target scanning with ThreadPoolExecutor, optional progress bar (tqdm), colored output (colorama), banner (pyfiglet), proxy support, configurable timeout, verbose mode, and a --check mode that runs a benign command to determine vulnerability. Results can be saved to TXT/JSON/CSV with thread-safe file writing. Primary fingerprintable web endpoints used are /loginok.html (injection point) and /dir.html (likely used for triggering/validation/output retrieval).

Repository contains a standalone Python exploit for CVE-2025-47812 (Wing FTP Server <= 7.4.3) achieving unauthenticated remote code execution through a two-stage chain: (1) NULL-byte authentication bypass in the web login flow combined with Lua code injection into the server-side serialized session file by crafting a username like 'anonymous\x00]]...--'; (2) triggering execution of the poisoned session by accessing an authenticated endpoint (documented as POST /dir.html) with the returned UID cookie, causing Wing FTP to loadfile() and execute the session Lua script and return command output in the HTTP response. Structure: - README.md: detailed vulnerability explanation, attack stages, usage examples, remediation, and references. - exploit.py: main exploit tool with CLI options for --cmd (single command), --shell (interactive pseudo-shell), --revshell (bash reverse shell with optional built-in listener), and --dump (attempts to dump sensitive files such as /etc/passwd, /etc/shadow, Wing.cfg, root SSH key per README). Uses requests/urllib3, supports vhost routing via --vhost, and can disable TLS verification. - requirements.txt: requests and urllib3. Notable targeting/IOCs: - HTTP endpoints: /loginok.html (session creation + injection) and /dir.html (execution trigger). - Reverse shell technique: /bin/bash with /dev/tcp to attacker lhost:lport; optional local listener binds to a chosen port. Overall purpose: an operational PoC/exploit utility for authorized testing that automates session poisoning and command execution against vulnerable Wing FTP web interfaces, with convenience modes for interactive use and data exfiltration.

Repository contains a single Python PoC exploit (CVE-2025-47812.py) and a README. The exploit targets Wing FTP Server <= 7.4.3 and achieves unauthenticated RCE by injecting a NULL byte into the web login username parameter so that attacker-supplied Lua code is written into the server’s session file. It then triggers execution by requesting /dir.html with the returned UID cookie, parsing the response to extract command output (text before the XML). The script supports repeated command execution via an interactive prompt (prompt_toolkit) and logs out between commands to mitigate session/concurrent-user limits. Network interaction is limited to three web endpoints on the target: POST /loginok.html (inject + get UID), GET /dir.html (execute + read output), and GET /logout.html (cleanup).

Repository contains a single Python PoC exploit script plus README and MIT license. - Purpose: Exploit CVE-2025-47812 in Wing FTP Server versions prior to 7.4.4 to achieve remote code execution by injecting Lua code into the username parameter using a NUL byte (%00) truncation issue. - Core technique: The script sends a POST to /loginok.html with username formatted as: <username>%00]]\r<lua>\r--. The NUL byte causes the server’s credential check (described as using strlen()) to validate only the prefix (e.g., "anonymous"), while the full string (including injected Lua) is written into a server-side session Lua file. The injected Lua uses io.popen("<command>") to execute an OS command and print its output. - Flow/structure: 1) CLI args: -u/--url (target base URL), -c/--command (command to run), optional -U/--username (default anonymous), -p/--password. 2) POST /loginok.html with crafted form body; extracts UID from Set-Cookie header via regex UID=([^;]+). 3) GET /dir.html with Cookie: UID=<uid>; scrapes the first text chunk from the response (regex r'([^<]+)') and prints it as the command output. Notable implementation details/limitations: - Assumes the target returns a UID cookie on the login request and that visiting /dir.html with that UID will surface the printed command output. - Output parsing is simplistic (first non-'<' text), which may be unreliable depending on HTML structure. - Uses requests for HTTP and imports pwntools only for pretty printing (success/error).

Repository purpose: a standalone Python 3 exploit tool for CVE-2025-47812 (Wing FTP Server < 7.4.4) providing unauthenticated remote code execution via the web interface. Structure: - LICENSE: MIT. - README.md: documents the vulnerability mechanics (null byte %00 in username at /loginok.html leading to Lua injection into session files evaluated later via /dir.html), affected versions, and usage examples for command execution and reverse shells. - wingftp_rce_exploit.py (~15.9 KB): main exploit implementation with both CLI and interactive modes. Exploit capabilities (from README and code): - Pre-flight reachability check using HTTP GET to the provided base URL. - Unauthenticated RCE in two modes: 1) Command execution mode: send crafted requests to plant Lua that runs an arbitrary command, then trigger evaluation and capture output (optionally save to a local output file). 2) Reverse shell mode: attempts multiple payloads (or a user-selected one) to connect back to attacker listener (RHOST:RPORT). Payloads include socat (PTY), bash /dev/tcp, python3 socket+subprocess, netcat variants, and PHP. - Operational features: configurable timeout/delay, verbose logging, automatic session UID extraction (per README), graceful Ctrl+C handling, and payload attempt summary. Notable observables: - HTTP endpoints central to exploitation: /loginok.html (injection) and /dir.html (trigger). - Local/target-side file path used by a payload: /tmp/f (mkfifo-based netcat shell). Overall, this is an operational exploit tool (not just detection) with multiple built-in payload options and user-friendly execution paths (interactive menu + argparse CLI).

Repository contains a single shell script PoC exploit (CVE-2025-47812.sh) targeting Wing FTP Server 7.4.3 for unauthenticated RCE, assuming anonymous access is available. The script takes two arguments: TARGET base URL and a command string. It uses curl to POST to /loginok.html with a crafted username parameter containing URL-encoded control characters and Lua code that calls io.popen("CMD"), reads all output, and prints it. It then extracts the session cookie value (UID) from the Set-Cookie header and performs a second request to /dir.html with that UID cookie to obtain the reflected command output, trimming trailing page content via awk. No additional tooling, modules, or framework integration is present; dependencies are curl and awk.

This repository contains a working exploit for CVE-2025-47812, a critical remote code execution vulnerability in Wing FTP Server versions prior to 7.4.4. The exploit is implemented in a single Python script (CVE-2025-47812.py) and is accompanied by a detailed README.md explaining the vulnerability, impact, and usage. The exploit works by injecting arbitrary Lua code into the 'username' parameter of a POST request to the /loginok.html endpoint. The server processes this input unsafely, resulting in the execution of attacker-supplied Lua code. The script can execute arbitrary system commands or deliver a reverse shell payload using several techniques (bash, python, PHP, netcat). After successful injection, the script uses the /dir.html endpoint with the obtained UID cookie to trigger the execution and retrieve the output. The exploit is operational and provides both command execution and reverse shell capabilities. It targets unauthenticated or anonymous users and affects Windows, Linux, and macOS platforms. The code is straightforward, with clear user prompts and output, making it easy to use for penetration testers or attackers. No hardcoded payloads are present; the user can specify commands or reverse shell parameters at runtime. No external framework is used; the exploit is standalone.

This repository contains a working exploit for CVE-2025-47812, a critical remote code execution vulnerability in Wing FTP Server versions prior to 7.4.4. The exploit leverages a flaw in the handling of null bytes in the login process, allowing unauthenticated (if anonymous login is enabled) or authenticated attackers to inject arbitrary Lua code via the username parameter. The injected Lua code executes system commands, and the output is retrieved from the /dir.html endpoint using a session UID leaked in the Set-Cookie header. The exploit is implemented as a single Python script (wingftp_cve_2025_47812.py) that supports both single-target and multi-target modes, proxying, custom credentials, and an interactive shell. The README provides detailed usage instructions and context. The main attack vector is network-based, targeting the HTTP(S) interface of the Wing FTP Server. The script is operational and provides reliable command execution and shell access on vulnerable targets.

This repository contains a Python 3 exploit for CVE-2025-47812, a critical unauthenticated remote code execution vulnerability in Wing FTP Server versions prior to 7.4.4. The exploit leverages improper null byte handling in the /loginok.html endpoint, allowing attackers to inject Lua code into session files via a crafted username parameter. This code is later executed when the /dir.html endpoint is accessed, enabling arbitrary command execution or reverse shell access on the target server. The exploit script (exploit.py) is modular and user-interactive, supporting both direct command execution and multiple reverse shell payloads (bash, python3, netcat, PHP, FIFO+netcat). The script automatically extracts the required session UID cookie and handles all necessary HTTP requests. The repository is well-documented, with a README providing usage instructions, payload details, and mitigation advice. No detection-only scripts or fake code are present; the exploit is fully operational and weaponized for unauthenticated RCE against vulnerable Wing FTP Server instances.

This repository contains a fully functional exploit for CVE-2025-47812, a critical remote code execution vulnerability in Wing FTP Server versions <= 7.4.3. The exploit leverages improper input validation in the authentication process, allowing an attacker to inject arbitrary Lua code into session files by including a NULL byte in the username. This code is later executed with root (Linux) or SYSTEM (Windows) privileges when the session is loaded, resulting in full system compromise. The main exploit script is 'exploit.py', a Python 3 script that automates the attack. It supports both unauthenticated (if anonymous login is enabled) and authenticated exploitation. The script forges a malicious login request to the '/loginok.html' endpoint, injecting a Lua payload that spawns a reverse shell back to the attacker's machine. The script can also set up a listener to catch the shell. After successful login and payload injection, the exploit triggers the payload by accessing '/dir.html' with the appropriate session cookie. The repository includes a README.md with detailed vulnerability background, usage instructions, and references. The only code file is 'exploit.py'; other files are license, requirements, and image metadata. The exploit is operational, providing a working reverse shell payload and robust error handling. No hardcoded IPs or credentials are present; all parameters are user-supplied. The exploit targets both Linux and Windows platforms running vulnerable versions of Wing FTP Server.

This repository contains a proof-of-concept exploit for CVE-2025-47812, a remote command execution vulnerability in Wing FTP Server. The main exploit script (CVE-2025-47812.py) is a standalone Python tool that targets the server's HTTP(S) interface. It abuses the 'username' parameter during authentication to inject and execute arbitrary Lua-based system commands, resulting in full remote code execution. The script supports both direct command execution and multiple reverse shell payloads (bash, Python, netcat, PHP), which can be selected via command-line arguments. It features input validation, retry logic, dry-run mode, and logs successful UID tokens to a file. The exploit interacts with two main endpoints: '/loginok.html' for the initial payload injection and '/dir.html' for triggering and displaying the command output. The repository is structured with a single exploit script, a README detailing usage and features, and a license file. This exploit is intended for authorized security testing and demonstrates a critical RCE vector over the network.

This repository contains a Python exploit script (CVE-2025-47812.py) targeting a Lua injection vulnerability in Wing FTP Server (versions <= 7.4.3). The exploit abuses the 'username' parameter in the /loginok.html endpoint to inject and execute arbitrary Lua code, resulting in OS command execution with root/SYSTEM privileges. The script provides an interactive CLI allowing the user to execute arbitrary commands or attempt multiple reverse shell payloads (bash, python, nc, php) against the target. The exploit is operational and not part of a framework. The repository includes a README with usage instructions, a LICENSE (MIT), and a .gitignore. The main entry point is CVE-2025-47812.py, which handles all exploit logic, including payload crafting, HTTP requests, and output parsing. The attack vector is network-based, requiring access to the target's HTTP(S) interface.

This repository contains a functional proof-of-concept exploit for CVE-2025-47812, a remote code execution vulnerability in Wing FTP Server versions 7.4.3 and earlier. The exploit is implemented in a single Python script (CVE-2025-47812-poC.py) and allows an unauthenticated attacker to execute arbitrary commands or obtain a reverse shell on the target server. The exploit works by injecting Lua code into the 'username' parameter during login, exploiting improper NULL byte handling. The script interacts with the server's '/loginok.html' and '/dir.html' endpoints to perform the attack. It supports both direct command execution and multiple reverse shell payloads (bash, python, PHP, netcat). The repository also includes a README with usage instructions and a LICENSE file. No hardcoded IPs or domains are present; the user supplies the target URL and reverse shell parameters at runtime. The exploit is operational and suitable for real-world testing on vulnerable systems.

This repository contains a Python exploit script (CVE-2025-47812.py) targeting a critical unauthenticated remote code execution (RCE) vulnerability (CVE-2025-47812) in Wing FTP Server versions up to 7.4.3. The exploit leverages improper handling of NULL bytes in the username parameter during authentication, allowing attackers to inject Lua code into session files. When an authenticated endpoint (such as /dir.html) is accessed with the malicious session, the injected code is executed, resulting in arbitrary command execution with root (Linux) or SYSTEM (Windows) privileges. The script supports both single-target and batch scanning modes, allows custom command execution, and can operate with anonymous or supplied credentials. The main exploit logic is contained in CVE-2025-47812.py, which is the only code file in the repository. The README.md provides detailed background, usage instructions, and references to the original vulnerability research. No hardcoded IPs or domains are present; the script requires the user to supply the target URL(s). The attack vector is network-based, exploiting the web interface of the vulnerable FTP server.