本篇文章介绍了Wing FTP Server 7.4.3中的CVE-2025-47812漏洞,该漏洞是一个严重的远程代码执行(RCE)漏洞,影响所有7.4.4之前的版本。漏洞的成因是空字节注入导致的任意Lua代码注入,攻击者可以通过特定的Payload注入和Cookie利用这一漏洞,从而以高权限执行任意系统命令。为防御该漏洞,厂商建议将Wing FTP Server升级到7.4.4或更高版本,并在不需要的情况下禁用FTP的匿名登录功能。 This article introduces the CVE-2025-47812 vulnerability in Wing FTP Server 7.4.3, a critical remote code execution (RCE) vulnerability affecting all versions prior to 7.4.4. The vulnerability is caused by arbitrary Lua code injection via a null byte injection. Attackers can exploit this vulnerability through a specific Payload and Cookie to execute arbitrary system commands with high privileges. To mitigate this vulnerability, the vendor recommends upgrading Wing FTP Server to version 7.4.4 or later and disabling anonymous FTP login if it is not required.

漏洞概述 (Vulnerability Overview)

CVE-2025-47812 是一个存在于 Wing FTP Server(一款支持多协议的跨平台文件传输服务器)中的严重远程代码执行 (Remote Code Execution, RCE) 漏洞。

受影响版本: Wing FTP Server 7.4.4 之前的版本

漏洞成因: 空字节注入 (Null Byte Injection) 导致的任意 Lua 代码注入 (Lua Code Injection)。

漏洞利用原理 (Exploitation Mechanism)

Wing FTP Server 的 Web 认证接口在处理登录请求时,未能正确过滤空字节(\0 或 URL 编码下的 %00)。攻击链通常分为两个阶段:

  1. 注入载荷 (Payload Injection): 当攻击者向登录接口(如 loginok.html)发送身份验证请求时,在 username(用户名)参数中插入 %00,并在其后拼接恶意的 Lua 脚本代码。 由于 C++ 底层程序在处理字符串时,遇到空字节会认为字符串已结束,因此后端的认证逻辑可能只会校验 %00 前面的合法字符(例如开启了免密的 anonymous 匿名账户,或者某个已知的普通账号)。然而,整个包含恶意 Lua 代码的原始长字符串,却被原封不动地写入了系统的 Session (用户会话) 文件中。
  2. 触发执行 (Trigger Execution): Session 文件被污染后,攻击者只需携带对应的 Cookie 发起第二次请求,访问任意一个需要身份验证的页面(例如 dir.html)。此时,服务器会读取并反序列化 (Deserialize) 该 Session 文件,从而直接触发并执行被注入的 Lua 代码。
  3. 权限提升 (Privilege Escalation): 由于 Wing FTP 服务在默认情况下通常以极高的权限运行,这些 Lua 代码最终会以 root (Linux 环境) 或 SYSTEM (Windows 环境) 权限执行。这意味着攻击者可以无限制地执行任意系统命令。

实战演练与测试思路 (Red Team Testing Approach)

在进行授权的渗透测试时,复现和验证这个漏洞的路径非常清晰:

  • 流量拦截与篡改: 可以启动 Burp Suite (Web Application Security Testing Tool, Web 应用程序安全测试工具),将浏览器代理指向它并拦截目标站点的登录 POST 请求。在 Repeater (中继器) 模块中,将 username 修改为类似 anonymous%00os.execute('whoami') 的格式(os.execute 即 Operating System Execute,操作系统执行函数)。
  • 工具武器化: 如果需要批量验证,可以在 Kali Linux (Penetration Testing Distribution, 渗透测试发行版) 环境下,使用 Python (High-level Programming Language, 高级编程语言)requests (Python HTTP Library, Python 超文本传输协议库) 编写一个自动化脚本:先发送包含恶意 Payload 的验证请求获取 Cookie,再使用该 Cookie 访问目录接口并打印出回显结果。

防御措施

厂商已修复此问题。唯一的彻底解决方案是将 Wing FTP Server 升级到 7.4.4 或更高版本。作为纵深防御的缓解措施,在不需要的情况下,应立即在配置中禁用 FTP 的匿名登录功能。

Vulnerability Overview

CVE-2025-47812 is a severe Remote Code Execution (RCE) vulnerability in Wing FTP Server (a cross-platform file transfer server that supports multiple protocols).

Affected Versions: Versions prior to Wing FTP Server 7.4.4

Vulnerability Cause: Arbitrary Lua Code Injection due to Null Byte Injection.

Exploitation Mechanism

The Web authentication interface of Wing FTP Server fails to properly filter null bytes (\0 or URL-encoded %00) when processing login requests. The attack chain typically consists of two stages:

  1. Payload Injection: When an attacker sends an authentication request to the login interface (e.g., loginok.html), they insert %00 into the username parameter and append malicious Lua script code after it. Since the underlying C++ program treats the string as terminated upon encountering a null byte, the backend authentication logic may only validate the legitimate characters before %00 (e.g., an anonymous account with passwordless login or a known regular account). However, the entire original long string containing the malicious Lua code is written unchanged into the system's Session (user session) file.
  2. Trigger Execution: After the Session file is compromised, the attacker only needs to send a second request with the corresponding Cookie to access any page requiring authentication (e.g., dir.html). At this point, the server reads and deserializes the Session file, thereby directly triggering and executing the injected Lua code.
  3. Privilege Escalation: Since the Wing FTP service typically runs with high privileges by default, these Lua codes will ultimately execute with root (Linux environment) or SYSTEM (Windows environment) privileges. This means the attacker can execute arbitrary system commands without restriction.

Red Team Testing Approach

During authorized penetration testing, the path to reproduce and verify this vulnerability is very clear:

  • Traffic Interception and Tampering: You can start Burp Suite (Web Application Security Testing Tool), point the browser proxy to it, and intercept the login POST request of the target site. In the Repeater module, modify the username to a format like anonymous%00os.execute('whoami') (os.execute stands for Operating System Execute function).
  • Tool Weaponization: If batch verification is needed, you can write an automated script using Python (High-level Programming Language)'s requests (Python HTTP Library) in the Kali Linux (Penetration Testing Distribution) environment: first send a verification request containing the malicious Payload to obtain a Cookie, then use that Cookie to access the directory interface and print the echo result.

Defensive Measures

The vendor has fixed this issue. The only comprehensive solution is to upgrade Wing FTP Server to version 7.4.4 or higher. As a defense-in-depth mitigation measure, the FTP anonymous login feature should be disabled in the configuration if not needed.