MCPwn: Unauthenticated MCP takeover in Nginx UI

This repository is a self-contained Docker lab and Python exploit demonstrating a chained zero-credential compromise of nginx-ui. The main exploit is exploit/exploit.py, which performs two stages: first, it abuses unauthenticated GET /api/backup to download an encrypted backup and recover the AES key/IV from the X-Backup-Security header, then decrypts nginx-ui.zip and parses app.ini to extract the [node] Secret. Second, it uses that secret to open an SSE session on /mcp, recover a sessionId, and then invoke privileged MCP tools through unauthenticated POST /mcp_message requests. The intended post-exploitation action is nginx takeover by overwriting default.conf so traffic is proxied to http://malicious_site:80, followed by reload_nginx to make the change live immediately. A reset path restores proxying to http://webapp:80. Repository structure supports the demo: docker-compose.yml launches a vulnerable uozi/nginx-ui:v2.3.1 instance on ports 8080 and 9000, a legitimate webapp container, and a malicious phishing container. nginx-ui/app.ini contains the lab configuration, including an empty Node.IPWhiteList and a node secret. nginx/conf.d/default.conf is the initial legitimate reverse-proxy config. webapp/index.html is the benign login page, while malicious/index.html is a phishing clone with a client-side credential capture panel exposed via ?debug=1 for demonstration. Overall, this is a real exploit repository rather than a detector: it automates credential-less secret extraction, privileged MCP access, configuration overwrite, and live nginx reload to redirect victim traffic.