![]() ![]() Let’s have a look first at how Wing FTP version 4.3.8 stores administrator credentials. Another option is through local file inclusion when they are stored in files on the server. One of them is through SQL injection when credentials are stored in a database. There are many Examples of ways to retrieve credentials. ![]() There are many ways to get a hold of credentials for web applications, depending on how they are installed and accessed. In the case of Wing FTP 4.3.8 on Windows the arbitrary commands are executed with system privileges as we will demonstrate in this tutorial.īefore we are able to execute commands we need to have admin credentials to log in to the administrator panel. When exploiting this vulnerability the executed commands will be in the context of the user running the vulnerable software. The os.execute() function in the lua interpreter can then be used for executing arbitrary system commands on the target host. In the case of Wing FTP on Windows the attacker is able to use os.execute() by supplying a specially crafted HTTP POST request or just access the web administrator panel. This part of the software can only be accessed by an authenticated administrator user. The vulnerable part of Wing FTP 4.3.8 is the embedded lua interpreter in the admin web interface. Wing FTP 4.3.8 Authenticated Command Execution Vulnerability More information can be found on the Wing FTP website. Some nice features I personally like about Wing FTP are the remote web based administration panel, the web based client, the virtual servers and of course the API’s. Wing FTP Server is actively maintained with regular monthly updates, the latest release is version 4.8.5 which was released in February 2017. The file server supports many protocols: FTP, FTPS(FTP with SSL), HTTP, HTTPS, and SFTP server. Wing FTP server is multi-protocol enterprise grade file server with a lot of features that runs on multiple platforms such as Windows, Linux, Mac OSX and Solaris. Before we are going to analyse and exploit this vulnerability we will first have a look at Wing FTP Server in general and its extensive list of features. Unauthenticated command execution vulnerabilities are way more dangerous as they reside in publicly accessible places and can be exploited by anyone without authentication. In this situation the vulnerability is still ‘protected’ by an authentication layer because the vulnerability resides in the administrator panel. ![]() Authenticated command execution vulnerabilities allow an authenticated attacker to execute arbitrary commands on the target system. If your upgrade protection has expired or will expire soon, please contact us at license key will be sent to you via email within 12 hours after you place the order, please do not block the email address (or To register Wing FTP Server, just open WingFTP's administration and navigate to "Server -> License -> Register.In this tutorial we will be looking at how to exploit an authenticated command execution vulnerability in Wing FTP Server 4.3.8 and how to fix this security issue. However, if you want to get a longer protection period, you can choose from the options we offer after you click the purchase link. Please note that all the price listed below includes 2-year upgrade protection by default (the software itself never expires, all updates can be downloaded for free within two years). All paid users will get FREE email and remote assistance support for a lifetime. If you need more features available in Standard / Secure / Corporate edition, please purchase a license and register it. After 30 days, you can continue using it as a Free edition for non-commercial use. Wing FTP Server is distributed under a shareware license, and you can download and evaluate a fully functional trial version for 30 days. ![]()
0 Comments
Leave a Reply. |